It might be a case of comeuppance or just the law of averages, but Linux and other open-source apps are nudging Microsoft out of the security snafu spotlight.

Even if it's just a short-lived reprieve, Microsoft must be relieved to see the debate shift to whether the open-source community can respond to security flaws as quickly and effectively as proprietary software vendors.

MS vs. open source: Security's the same
Microsoft has its share of security problems--but so does the open source community. Wayne Rash says neither has the edge when it comes to fixing flaws.

Open sourcers wear the white hats
Bruce Perens, an open source advocate, says the open source model is better for finding security flaws, but a more formal process could be even better.

Too much trust in open source?
Open-source developers have been complacent that their programs are more secure than proprietary software. Recently discovered flaws suggest that open-source applications are just as vulnerable. March 20, 2002

Reader: "Windows is a victim of its popularity"
Mark Cochran says that because Microsoft is so big, it's a bigger target for hackers. But he doesn't think proprietary or open source is the issue--the fault lies elsewhere.

Open sourcers wear the white hats

Who looks through a proprietary product for security flaws? Maybe one or two paid reviewers. The rest of them are "black hats," outsiders who disassemble the code or try various types of invalid input in search of a flaw that they can exploit. Only a black hat would disassemble code to look for security flaws. You won't get any "white hats" doing this for the purpose of closing the flaws.

So, if you don't publish your source, expect that only black hats, and the few people inside of your company who work on the product, will look at your code. Apparently, the black hats are very successful at finding security flaws this way, and the folks on the inside aren't very effective at stopping them.

Many companies are strapped for cash, and they omit the security review entirely. They figure that security is something they can go back and fix after they have enough customers for it to matter, and when people start reporting problems.

In contrast, open source has a lot of "white hats" looking at the source. They often do find security bugs while working on other aspects of the code, and the bugs are reported and closed. However, open source can still profit from a formal security review, just as proprietary code can, and there is an accelerating trend to do formal security reviews in open-source projects.

But code review is no cure-all. You can't find all bugs by looking for them, because trouble often comes in an unexpected form. Thus, those white hats who stumble upon bugs while working on the source are still essential companions to the code reviewers.

One great example in this regard is Borland's Interbase database server, because it was both proprietary and open source, and had an undisclosed security problem during its transition from one to the other.

Interbase is an enterprise-class database product that ran airline reservation systems and other mission-critical applications of large companies. Certainly Borland had the funds to do security reviews on the product. But some time between 1992 and 1994, an employee at Borland inserted an intentional back door into the database. The back door completely circumvented the security of both the database and the operating system hosting it--in some cases, the back door would have allowed an outsider to gain a system administrator login. The back door was not well hidden. I assume that it was done maliciously, and not on orders of Borland's executives.

Anyone could have found this back door by running an ASCII dump of the Interbase executable, for example, by using the "strings" command on Unix or Linux. But if anybody found it, they kept it to themselves, and perhaps used the exploit for their own gain. The back door remained in the product for at least six years. At least one person knew of it, and could have exploited it, for this entire time. How many friends did he tell?

Borland released Interbase to open source in July 2000. An open-source programmer who wasn't looking for security flaws discovered the back door by December 2000, and reported it to CERT.

Do you think open-source software is more secure than proprietary programs? TalkBack below.

Too much trust in open source?

While Microsoft has concentrated on reviewing its flagship Windows source code as part of a new focus on security, Internet watchdogs have released the details of three widespread flaws in open-source applications usually shipped with the Linux operating system.

The flaws could compromise the security of computers on which the applications are installed, prompting some developers to urge the open-source community to take another look at popular code. But most fear the majority of members won't bother.

"No one is doing auditing," said Crispin Cowan, chief scientist at Linux maker WireX Communications, one of several companies selling a version of the OS with additional security options. Cowan is the founder of Sardonix, a Web site aimed at organising groups of people who want to review major open-source software.

"Reviewing old code is tedious and boring and no one wants to do it," Cowan said.

With Microsoft launching a major security initiative in response to recent criticism, some fear that Linux and open-source developers have become complacent in the commonly held belief that open-source programs are more secure.

This year offered several reasons to question that belief.

In February, a flaw found in the popular scripting language PHP left as many as 9 million Web sites vulnerable to attack. Though the number of vulnerable sites could be as low as 100,000 and the flaw is hard to exploit, the software bug resembles the Web software slipup that left Microsoft servers vulnerable to the Code Red virus.

In March, another flaw, in the omnipresent Zlib compression library, left Linux systems potentially vulnerable to attack, though no program exploiting the hole has surfaced.

And in mid-March, a bug in the OpenSSH communications encryption program, commonly used to secure communications to and from Linux computers, left many of those machines open to attack.

The spate of flaws has not gone unnoticed by the open-source community's more vocal members.

"I see a lot of bad software being done," said Theo de Raadt, founder and project leader for the open-source Unix variant OpenBSD. "There is a lot of politics and inaction causing people not to make changes that makes their software better."

The "many eyes" theory

Open-source software's main claim to security is that because anyone can view the source code, developers can constantly look for bugs and fix them. And with a broad cross-section of expertise in the developer community, programmers with specific strengths can look for hard-to-understand, "deep," bugs and fix what others might miss.

In his essay on the open-source movement, "The Cathedral and the Bazaar," developer Eric Raymond wrote, "Given enough eyeballs, all bugs are shallow."

De Raadt led a team of OpenBSD developers on just such a review, cleaning up the source code for the Unix-like operating system and replacing functions that were known to be insecure with more robust substitutes.

Yet, the "many eyes" theory, as it is known in the open-source world, doesn't work so well in reality, said WireX's Cowan.

"It does not assure that many eyes are actually looking at the code," Cowan said. "In fact, it is likely that 'rock star' code that is hip to work on gets adequate attention, while the other 90 percent languishes, in many cases never even seen by anyone but the code's authors." And much of this unsexy code forms the foundation of Linux.

Cowan hopes his Sardonix site will become a central registration point for auditing efforts, but for now, Linux and open-source software must rely on developers feeling obligated enough to commit to the drudgery of vetting source code for software bugs.

After security researchers found the flaw in the Web scripting language PHP, a group of programmers decided to start auditing that popular project's code.

"It's difficult to introduce new features and review the existing code at the same time," said Frank Denis, a part-time systems administrator for a French Internet service provider and leader of the PHP code-auditing project. "It's why we are trying to give a hand on that point. We won't introduce any new features, but we will fix potentially dangerous code."

A central process to find bugs, such as Microsoft's Trustworthy Computing initiative, will never catch all flaws in open-source software, Denis added.

"To break into your server, script kiddies will try totally unconventional tricks that have no chance of being part of any initial validation procedure," Denis said, referring to the class of online vandals who are not as technically adept. "The result of (our) different approaches will give a more extensive audit than any strict guidelines. That is the strength of free software: Everyone can put his own brick in the wall."

Polishing the software

Despite the security problem with his own project's code, Jean-loup Gailly, chief software architect for Vision IQ and the co-creator of the Zlib compression library, stressed that Linux's development process still creates more secure code.

"Open-source programs are subject to much more scrutiny and, in case of problems, fixed much more quickly than closed-source programs," Gailly said. "Apache is not more popular than Microsoft IIS (Internet Information Server) by accident; one of the reasons is that it is more secure."

An additional layer of polish is put on the source code by companies and organisations such as Red Hat and Debian, which package their own Linux distributions, Gailly added.

Linus Torvalds, a senior engineer at chipmaker Transmeta and the creator of the Linux kernel, thinks the open-source development style works well.

"Most (code review) by far is simply people looking at code, often for some other reason that had nothing to do with formal auditing," Torvalds said. "I personally like it that way, and it's proven to work pretty well in practice."

Moreover, rather than seeing a threat from Microsoft's new focus on security, Torvalds believes the move shows how weak the company's security used to be. Microsoft wouldn't provide an executive for comment on the issue.

"Let's face it," Torvalds said. "Microsoft did their initiative because they've been so bad at security in general. They fix bugs when somebody drives a truck through them and they get embarrassed enough. Get embarrassed (often) enough, and you start creating 'initiatives'--whether in politics or in commercial software."

He continued: "In the open-source community, the community has so far been pretty good at policing itself without the embarrassment. Do bugs happen? Yes, of course. But do they get found and fixed without a new virus of the week that costs a few billion dollars of user time? You bet."

What do you think? TalkBack below.

Reader: "Windows is a victim of its popularity"

In many ways, when it comes to security, Windows is a victim of its popularity. Those who implement security exploits, much like commercial developers, look for the greatest possible payoff in terms of computing community impact (often referred to as "market penetration" for commercial products). So, if it's bang for the buck that entices developers, Windows is the target OS of choice.

Although I am a devout loyalist of the Macintosh, if the Mac had anywhere near the installed workstation and server base that Windows enjoys, the list of exploits targeted at the MacOS and applications running under it would grow accordingly. With the new MacOS being based on open source code, in many ways the problem has been simplified for the hackers partial to attacking Unix-based systems. It's just not worth the effort.

So, where do I come down on the open source vs. proprietary issue? I come squarely down on the side of the security-conscious system administrator and user. In the end, if I leave my keys in my unlocked car, my complaints about my car's security holes seem pretty feeble.

What do you think? TalkBack below.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.