Hand Over the Keys for Greater Security
January 21st, 2009 by David Bradley >> No Comments
Microsoft Internet Explorer. Mozilla Firefox. Two tools for browsing the web. One, MSIE, shrouded in Microsoft’s corporate secrecy. The other, FF, developed as open source software. Which do you think is the most vulnerable to security threats, which is a major target of hackers, and which has to be “patched” the most often to prevent malicious users exploiting the vulnerabilities?
The answer is obvious to advocates of the Firefox browser, but seems paradoxical. How can a program to which anyone has access to its inner workings be more secure than a proprietary package with restrictive licensing, blocks to reverse engineering and all manner of other complications? It’s as if you etched your safe’s combination on the door of the safe itself and then left the door unlocked just to be sure anyone could get to the contents.
Joseph Heili and Jean-Mathias Heraud of the Groupe ESC Chambéry in Le Bourget du Lac, France, certainly recognize this paradox. In a research paper entitled “To prevent them from entering, provide the keys”, they agree that the notion of open source software seems to beggar major risks and yet, they point out that French National Defence and countless other organization prefer OSS to proprietary closed source software.
The solution to this paradox lies in one other well-known aspect of open source, aside from the fact that it is freely available for anyone to use and do with what they will, and that is that the main weakness of open source is exposed only when a new program is released. In the early stages of release, it takes time for a community of users and programmers to build up around an open source program. However, communities quickly build around valuable products. Critical mass was reached rapidly with Firefox, the Linux operating system, and countless open source versions of common (and not so common) Windows and Mac programs.
Such an open source community then has an inherent ability to react quickly to exposed vulnerabilities, bugs, and other issues and to quickly address them, before they translate into widespread problems. The same cannot be said of proprietary software. With such closed source products, it might take some time for awareness of a problem to circulate within the software house, the problem to be tabled at a committee meeting and a course of action aimed primarily at public relations damage limitation instigated, followed quickly by a patch.
Another issue that can never be addressed completely by companies selling closed source software is that they become obvious targets of hackers and crackers. The secret contents locked safe in the offices of a company held in disdain by various kinds of ideologists is, it seems, a far more attractive target than the proverbial open book lying on a desk in a public lobby.
Joseph Heili, Jean-Mathias Heraud (2009). To prevent them from entering, provide the keys International Journal of Information Technology and Management, 8 (1), 19-32