Linux Wins The Security Showdown! Now What? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Enterprise Architecture
Commentary
3/31/2008
10:56 AM
Serdar Yegulalp
Serdar Yegulalp
Commentary
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Linux Wins The Security Showdown! Now What?

So now that Ubuntu Linux was "last man standing" in the PWN to OWN contest at CanSecWest, does this mean open source has it all over the competition when it comes to security?  It can, and it ought to -- but it's not a guarantee.  And we need to not think it is.

So now that Ubuntu Linux was "last man standing" in the PWN to OWN contest at CanSecWest, does this mean open source has it all over the competition when it comes to security?  It can, and it ought to -- but it's not a guarantee.  And we need to not think it is.

A while back I wrote about a vaguely parallel issue -- how open source won't guarantee the survival of a given piece of software if the original developers drop off the face of the earth, but it makes survival that much easier a proposition.  The same goes for the security of open source products: the fact that it's open source is only one part of a whole approach.  Just putting the code out there to be freely eyeballed by all and sundry won't automatically make it secure.  It has to be looked at by people who know what to look for, know how to fix it, and are willing to do a proper job.

When talking to programmers about security, I've come away with a few impressions: 1) that security is something you have to be made conscious of in the first place; 2) that you have to understand the context of what you're inspecting; and 3) almost no amount of foresighted programming will keep an inept user from doing something stupid.  It's the last part that has programmers often bashing their faces into their keyboards in frustration, because in the end most of them are not writing software for other programmers or other security people.  Most people are neither security experts nor are they computer experts -- and frankly, most of them don't want to become either of those things.

As Linux and open source in general become incrementally more popular with the broad mass of users weaned on closed source applications (whether they were designed with security-through-obscurity or actual code review or what have you), this is going to become critically important.  If you have a package that was used by ten thousand people which suddenly gets used by seven hundred thousand, it becomes that much more of a target -- both for malice and incompetence.

The problems with the phpBB bulletin board application come to mind -- it's had a slew of security issues that led at one point to some ISPs banning it outright.  One site I was co-managing used it, and got eaten alive not once but twice -- and this was despite habitually upgrading to the most recent versions!  (They've since taken the forums completely offline.)  Now imagine a similarly-weak application being run on people's Linux desktops.  Granted, phpBB has gotten better since, but I think the parallel still stands.  That and it's also hard to win back people's trust after you've already inadvertently burned them.

If this sounds like the old saw about "the only reason Linux doesn't have as many security holes is because it isn't as big a target," well, there's a kernel of truth to that, pun unintended.  As Linux ramps up with the masses and more people openly trust sensitive things to it, it will become that much more of a target -- and the people who contribute code to it need to be that much more proactive about the quality of what they're putting out there.  It won't happen magically.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll