Government // Enterprise Architecture
Commentary
3/31/2008
10:56 AM
Serdar Yegulalp
Serdar Yegulalp
Commentary
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Linux Wins The Security Showdown! Now What?

So now that Ubuntu Linux was "last man standing" in the PWN to OWN contest at CanSecWest, does this mean open source has it all over the competition when it comes to security?  It can, and it ought to -- but it's not a guarantee.  And we need to not think it is.

So now that Ubuntu Linux was "last man standing" in the PWN to OWN contest at CanSecWest, does this mean open source has it all over the competition when it comes to security?  It can, and it ought to -- but it's not a guarantee.  And we need to not think it is.

A while back I wrote about a vaguely parallel issue -- how open source won't guarantee the survival of a given piece of software if the original developers drop off the face of the earth, but it makes survival that much easier a proposition.  The same goes for the security of open source products: the fact that it's open source is only one part of a whole approach.  Just putting the code out there to be freely eyeballed by all and sundry won't automatically make it secure.  It has to be looked at by people who know what to look for, know how to fix it, and are willing to do a proper job.

When talking to programmers about security, I've come away with a few impressions: 1) that security is something you have to be made conscious of in the first place; 2) that you have to understand the context of what you're inspecting; and 3) almost no amount of foresighted programming will keep an inept user from doing something stupid.  It's the last part that has programmers often bashing their faces into their keyboards in frustration, because in the end most of them are not writing software for other programmers or other security people.  Most people are neither security experts nor are they computer experts -- and frankly, most of them don't want to become either of those things.

As Linux and open source in general become incrementally more popular with the broad mass of users weaned on closed source applications (whether they were designed with security-through-obscurity or actual code review or what have you), this is going to become critically important.  If you have a package that was used by ten thousand people which suddenly gets used by seven hundred thousand, it becomes that much more of a target -- both for malice and incompetence.

The problems with the phpBB bulletin board application come to mind -- it's had a slew of security issues that led at one point to some ISPs banning it outright.  One site I was co-managing used it, and got eaten alive not once but twice -- and this was despite habitually upgrading to the most recent versions!  (They've since taken the forums completely offline.)  Now imagine a similarly-weak application being run on people's Linux desktops.  Granted, phpBB has gotten better since, but I think the parallel still stands.  That and it's also hard to win back people's trust after you've already inadvertently burned them.

If this sounds like the old saw about "the only reason Linux doesn't have as many security holes is because it isn't as big a target," well, there's a kernel of truth to that, pun unintended.  As Linux ramps up with the masses and more people openly trust sensitive things to it, it will become that much more of a target -- and the people who contribute code to it need to be that much more proactive about the quality of what they're putting out there.  It won't happen magically.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.