When It Comes to Security, Openness Isn't Always a Virtue - Rebuttals
Even as he referred to the "cost of transparency" uncovered by his research, Sam Ransbotham, a professor at Carroll School of Management, acknowledged that "the transparency benefits far outweigh this cost. ... The challenge for open source communities is to maintain the benefits while mitigating the downsides."
It's hard to imagine a topic more central to the argument for or against free and open source software than security.
Hardly a day goes by without news of some fresh exploit in the Windows environment, after all -- but what about Linux and other open software? Can they do better?
That's essentially the question we put to the two participants in LinuxInsider's first FOSS Face-Off this week, focusing on that very topic.
In Part 1, Sam Ransbotham, an assistant professor of information systems at Boston College's Carroll School of Management, made the case that openness isn't always a virtue when it comes to security, citing data from recent research he's done.
"Open source code can help attackers create exploits once a vulnerability is discovered," Ransbotham explained. "This is a cost of transparency."
'Security Through Obscurity Is a Joke'
Next, in Part 2, Joe Brockmeier, GNOME PR team lead and former openSUSE community manager for Novell, made the case for FOSS's superior track record, asserting that "security through obscurity is a joke."
Microsoft's Internet Explorer, for example, "has been found to have many exploitable vulnerabilities," Brockmeier pointed out. "These were not discovered because IE's code is open, they were discovered through other means.
"It's entirely possible for motivated and talented attackers to discover vulnerabilities in software without access to source code," he added, "but lack of access to source code hinders those who would like to discover and fix vulnerabilities as soon as possible."
'This Should Scare the Hell Out of People'
Referring to the hosted applications that are part of many cloud computing initiatives, meanwhile, "companies have not shown a tendency to be entirely forthcoming about security breaches unless they have to be," Brockmeier pointed out.
"It's not only impossible to examine the code for vulnerabilities, it's also impossible to know exactly what is being done with your data," he explained. "This should scare the hell out of people when talking about their personal data."
LinuxInsider invited each side to offer a rebuttal to the other's comments for presentation in this third and final piece of our series on the topic.
'It Is Not a Birthright'
Here's what Ransbotham had to say:
"Open source code has the potential for many advantages -- increased scrutiny prior to release, more developers to correct problems when found, and a community active in deploying patches, etc. -- but there is the potential for disadvantage too as attackers can see the code.
"I think there are two important points: First, the potential for advantages takes effort to convert to actual advantage. Many/most open source projects have this, but it is not a birthright. Second, there is benefit from recognizing potential disadvantages and allocating time/effort accordingly -- attackers likely will. Open source code does not inherently create security without effort.
"Mobile and cloud computing isn't strictly an open source versus closed source issue, but clearly has many of the same core issues around transparency. In cloud computing , for example, while there is potential for greater security through aggregation of security efforts, there are some really messy incentives that can easily create problems.
"I too doubt how forthcoming cloud providers will be unless we figure out some counter-incentives. That is a challenge for the security community -- finding ways to benefit from cloud computing while minimizing the downsides."
'The Benefits Far Outweigh This Cost'
Brockmeier did not offer a rebuttal, so all that remains now is to declare a winner of this debate.
In this particular case, it seems the crown can only go to FOSS, since both sides essentially agreed that transparency offers many benefits.
Even as he referred to the "cost of transparency" uncovered by his research, Ransbotham acknowledged that "my sense is that the transparency benefits far outweigh this cost."
His overall message, then, was primarily a cautionary one.
"Overall, openness is a virtue, but not without elements of vice," he concluded. "The challenge for open source communities is to maintain the benefits while mitigating the downsides."
That is a view few would disagree with -- even the most fervent supporters of FOSS.
A Certain Amount of FUD
So what does it all mean? The transparency of free and open source software is increasingly recognized as an important benefit -- even by experts studying software security, and even when they uncover occasional vulnerabilities.
The "security through obscurity" argument may still be frequently uttered by those on the pro-proprietary side, but -- at least, based on this debate -- it lacks substance. Indeed, given the financial stakes for those on the proprietary side, one could easily make the case that a certain amount of FUD is to be expected.
The growing ranks of FOSS proponents, then, should be heartened. When it comes to security, free and open source software has been held up, scrutinized, and declared superior.