Is it not logical that if you close the door to your security system you could reduce the risk and have less vulnerability? Would you not reduce the likelihood of a successful attack with less exposure with a closed software system? The question is, when considering security risks in your system, which is better to use an open or closed source?
There has to be an understanding between the security of a system, the exposure of the system and the risk associated with using the system. Risk is defined as a combination of the likelihood of a successful attack and the damage resulting from it. The exposure of a system is not just that hackers can get into the system but that they know the vulnerabilities and whether the system is a high profile target. How secure the system is depends on the number of vulnerabilities and the severity.
A closed source prevents the attacker from easy access. However, it is well know that hackers take it as a challenge and they do not stop until they get access into a closed source and they can create havoc. One of the major problems is that the producers of the closed source are the only ones that can create patches to the vulnerabilities that have been compromised. A big problem is that it will take them weeks or months to implement their patches. In the meantime, they will be vulnerable to hackers. These hackers will provide the information to other hackers and the public over the internet eventually creating even more disaster for the victim.
An open source system does provide exposure to the public and actually puts the potential victim on guard where they have to install preventive software patches to protect themselves. However, this is a good thing because open source users help each other by making these patches available to a central repository. There is a network effect, where users can find more and faster patches to quickly resolve their problem. This also enables them to add extra security measures. Evidence suggests that patches for open source software are released almost twice as fast as for closed software, thus cutting in half the vulnerability period. If a user is unable to patch a bug himself, open source enables him to communicate about bugs with developers more efficiently. Because it is an open source to the public as a side effect, this will stimulate research and development in new, improved tools for software development, testing and evaluation. In the long run openness of the source will increase its security.
skip to main |
skip to sidebar
ITEC5321 Fall 2009 --------- Dan Garza -------- Professor Ed Crowley
Blog Archive
History of Cypher Machines
Tales From The Cryptology Vault