Security: An Apples-To-Open Comparison? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Enterprise Architecture
Commentary
9/9/2009
09:51 AM
Serdar Yegulalp
Serdar Yegulalp
Commentary
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Security: An Apples-To-Open Comparison?

Here is a question which has been bothering me for some time now, and which doesn't stand much of a chance of resolving itself. Is comparing the much-vaunted security benefits of open source software to similar proprietary apps a false comparison?

Here is a question which has been bothering me for some time now, and which doesn't stand much of a chance of resolving itself. Is comparing the much-vaunted security benefits of open source software to similar proprietary apps a false comparison?

Part of this was inspired by news of another (yes, another) exploit in WordPress. Admittedly it's one that targets a slightly older version of the software, but WordPress is infamous for this sort of thing. The blogging platform I use myself, Movable Type, has rarely been attacked in the same fashion. When I mentioned this discrepancy to my programmer friend, he gave me a bemused talk about the way PHP has made it possible to write both very popular and horribly insecure web applications.

But then I popped the bigger question: Doesn't it make more sense to compare the security benefits of a given open source application only to other open source applications? Since proprietary apps are by definition closed, we can't conduct our own audit and find out how exploitable the code is, so it doesn't make sense to compare them.

So why do we do it? Probably as a selling point -- as a way to convince people that open source is better across the board. But that's something that should be decided on an application-by-application basis. If a given application is better for one's needs, it shouldn't matter how it was developed; its merit should be in the using.

Maybe part of the problem is that security metrics themselves are a mess, because we mostly go by number of reported and closed incidents -- which is about all we can go by. Unless we set up some authority (who?) to audit code line-by-line ... and from all I've seen, the best security comes from well-trained programmers who write security-conscious code, not auditing.

One possible comeback to this is the old saw about how open source is inherently that much more improvable. I agree with that, but I've learned to temper my enthusiasm: what matters more is whether or not there are the right people in the right position to fix what's wrong with the program. Yes, you can fix it yourself -- but I'm learning that the number of people truly qualified to fix egregious security issues may be even smaller than the number of people qualified to detect them.

All I'm saying, in the end, is that we should make fair comparisons on both sides. It makes the most sense to compare things like MT and WP to each other when talking security, and not to proprietary products where the nature of security is an entirely different game altogether.

InformationWeek has published an in-depth report on Sun's future under Oracle. Download the report here (registration required).

Follow me and the rest of InformationWeek on Twitter.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll