Government // Mobile & Wireless
Commentary
9/24/2009
03:48 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Secrecy Is A Stupid Way To Sell Software Security

It makes my day when someone out to "expose" the flaws in open-source software ends up doing exactly the opposite.

It makes my day when someone out to "expose" the flaws in open-source software ends up doing exactly the opposite.In a recent ZDnet interview, an executive with a company called Nominum tried to make a case for using his company's hosted DNS solution. Nominum's technology, which is intended to replace the ubiquitous, open-source Berkely Internet Name Domain (BIND) software, isn't of interest to most bMIghty readers.

Nominum executive Jon Shalowitz's attempt to explain what's "wrong" with BIND, however, is absolutely priceless.

I'll skip over Shalowitz's muddled claim that "open source" equals "freeware" -- a whopper that he follows with a disingenuous attempt to associate "freeware" with "malware." The real fun starts later in the interview, when he explains why Nominum is so much more secure than BIND or other open-source applications: Number one is in terms of security controls. If I have a secret way of blocking a hacker from attacking my software, if it's freeware or open source, the hacker can look at the code.

By virtue of something being open source, it has to be open to everybody to look into. I can't keep secrets in there. But if I have a commercial-grade software product, then all of that is closed off, and so things are not visible to the hacker.

By its very nature, something that is freeware or open source [is open]. There are vendors that take a freeware product and make a slight variant of it, but they are never going to be ever able to change every component to lock it down.

Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure. A quick trip to Netcraft reveals that Nominum's IT staff apparently didn't get the memo about avoiding software that "everybody" can "look into": The company runs an Apache Web server on Red Hat Linux. And a subsequent claim that "Nominum has never had a single known vulnerability in its software" is simply a lie: As one of Nominum's own security advisories points out, the company's products were affected last year by a serious DNS cache-poisoning exploit.

But the ultimate take-away lesson from this propaganda exercise is Shalowitz's claim that security through obscurity is a more effective way to build software.

It isn't. Shalowitz himself explains why at the end of the interview: You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside. The software being run and the network itself are very critical. And that's one point the customer really needs to be wary of.

Thanks, Jon, I couldn't have said it better myself.

Decades of security exploits, hacker attacks and malware variants prove that trying to secure software by keeping the source code a secret is a fool's game. The only party that gains a "security" advantage from closed source code is the vendor providing the software; it has the luxury of deciding if and when to disclose the vulnerability and issue a fix.

Sometimes, there are legitimate technical or business reasons to choose a closed-source, proprietary application. And in some cases, there might even be a reason to use one of Nominum's closed-source products. But when a software vendor tells you that its product is more secure because its closed source code is a "secret," it's time to find the exit. How can you trust a company like this to tell you the truth about its products when it can't seem to tell you the truth about anything else?

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
Protecting Critical Infrastructure: A New Approach NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.