24 March 2006 | 7,143 views

Is Open Source Really More Secure?

Check Your Web Security with Acunetix

Is Open Source more secure? That’s a question that can be answered with both yes and no. Not only that, but the reasons for the “yes” and the “no” are fairly much the same. Because you can see the source the task of hacking or exploiting it is made easier, but at the same time because its open, and more easily exploited the problems are more likely to be found.

When it comes to open source the hackers and crackers are doing us a favour, they find the problems and bring them to the attention of the world, where some bright spark will make a fix and let us all have that to. All well and good.

However I think this could also be a problem, because lets face it. Any monkey can download “free” software to use for this or that, with little or no idea how it actually works. They don’t check for fixes and updates, often believing “it will never happen to me”. In part this is because they just don’t see any reason for some one to hack them. But in the modern world where any script kiddie little git can download a virus construction kit, or a bot to run exploits on lists of servers its no longer a case of being targeted. They don’t care who you are, it’s the box they are after.

Recently a friend of mine suffered from this very problem, he didn’t believe he was worth the effort to hack. But simply by using an Open source web app he unwittingly made him self a target. Though a fix was available, he wasn’t aware of it. It was only when the host contacted him about problems that he even realised he’d been exploited.

With the growing popularity of the internet and open source solutions more and more unskilled users are installing software they don’t even understand. Even worse as any one application grows in popularity it grows as a worth while target for the low life script kiddies out there.

The problem has been exacerbated but the simple truth that with modern scripting languages such as PHP it is getting easier and easier to make some thing, being able to hack code together until it works might be fun, and you might make some thing that does the job, but its not a way to make safe secure software.

Most often exploits are based on stupid mistakes, errors that should have been found early on but weren’t because the code evolved, expanded and changed. No design, no planning, just code it until it works. This is the original meaning of “hacking”.

Now, with out mentioning names, I have pulled apart the code used in the CMS the friend I mention earlier used, and with out doubt I can say its poorly written. But it was free, so no one can complain.

I am sure there is some very good open source applications, linux, apache to name a few, but there is even more “open source” that’s just garbage. Just because its free doesn’t mean its good. Just because it popular doesn’t make it better. In fact as far as I can tell, if you want to use open source applications your probably better of choosing one no one else has really bothered with, that why your less likely to become a victim.

Closed source always has the advantage of being a little harder to find the problems, how ever, and this is important. It doesn’t mean its any better. As a friend of mine pointed out, Open source might be easier to hack in some ways, but because of that the problems come to light and generally are fixed quickly. Where as with a closed source application its actually in the interests of the authors to keep any problems hidden, if its not a common problem it may even go unfixed, because the author sees is as being unlikely any one else will ever find it. Or a fix will be bundled up with a later version and thus many people will never even know they could be at risk.

In the end I do believe open source is good for us all, but its important to check regularly for updates, patches and fixes. If you don’t, on your own head be it.



Recent in General Hacking:
- Dradis v2.9 – Information Sharing For Security Assessments
- MagicTree v1.3 Available For Download – Pentesting Productivity
- Kvasir – Penetration Testing Data Management Tool

Related Posts:
- OpenMusic – Free Music for a free World
- oCERT – Responsing to Flaws in Open Source Software
- Jacking Wifi is ‘OK’ say Ethics Expert

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,133,767 views
- Hack Tools/Exploits - 577,136 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 411,862 views

Advertise on Darknet

8 Responses to “Is Open Source Really More Secure?”

  1. farking 24 March 2006 at 8:44 am Permalink

    it’s no doubt open source is more secure compared to the close source. commercial software, it’s just a matter of time someone will found a bugs and exploit it.

    just take a look at microsoft windows. no source but still a lot of bugs and vulnerability discovered. :)

  2. Navaho Gunleg 24 March 2006 at 10:24 am Permalink

    The only thing I know from experience is that I have never seen more sh** on proprietary operating systems than on open-source ones.

    Fact is, you do not know what goes on in a closed-box whereas you can know what happens in an open one.

    Proprietary systems rely on the fact other people never look inside it, simply because it’s written crappy.

    Open-source can be read by anyone. This automatically results in cleaner code — as some form of ‘social control’ — because you know some other guy is going to complain if you don’t.

    The question shouldn’t be whether open-source is more secure than closed — but rather which one can you (unconditionally) trust?

  3. Darknet 24 March 2006 at 11:37 am Permalink

    Yah, pretty much proven recently by the independant study. It showed Open Source software did have a lot of faults, but the LAMP stack had significantly less faults per thousand the proprietary software leading it to be some of the most secure software around.

  4. Navaho Gunleg 24 March 2006 at 11:43 am Permalink

    Also I expect the quality of the Linux kernel to be significantly higher than the Windows one (or SCO one for that matter). We can just never be sure because the latter are closed.

    Of course there are plenty home-brew projects that still have lousy code. (/me looks in his home-CVS repository.)

    At some point, an open-source project will get enough focus, become popular and the source-code cleaned-up.

    Independant study? Somehow I don’t see Microsoft lending out there source-code to an ‘independant’ researcher — rather see them making an independant researcher, well, depend… ;)

  5. CS Shyam Sundar 24 March 2006 at 12:07 pm Permalink

    First all should understand that it doesnt matter that if its OPEN SOURCE or CLOSED SOURCE.,

    But we can see that., in OPEN SOURCE the code is viewed by many ppl. and hence LESS THE CHANCES for an insecure code., I said only less the chance., it does not necessarily mean that it is secure., chances are that all the ppl. who looked the code might have overlooked something.

    But in CLOSED SOURCE., code is seen by a few ppl., so relatively much more risky…,

  6. kurt wismer 24 March 2006 at 3:39 pm Permalink

    i think what is important to see here (and what some people seem to have some intuitive grasp on) has to do with the difference between security and risk…

    open source has the potential to have a lower risk of exploitability…

    i think we can all agree that the more people looking at the code, the less chance of those people missing something that could be exploited in a malicious way… that’s no guarantee that they won’t, but it is a higher assurance level…

    further, the more popular the open source app, the more people there will be (both good and bad) with motivation enough to examine the code… a really popular open source program, therefore, may receive much more examination than is reasonable or possible for it’s closed source alternatives (for example, it’s quite likely that linux’s code has been examined, at least in part, by far more people than have examined windows’ code)… and for this reason i think the idea suggested of using open source apps no one has heard of before for the sake of security is actually a bad security measure as it tries to get security out of obscurity and gives up the risk managing benefits that open source provides…

    on the other hand, the larger the code base, the greater the chance of missing something because it’s more difficult to examine all of the code and model it’s security…

    of course, the importance of keeping the software up to date is something that transcends the division between open and closed source… making the code secure is an on-going, never-ending process regardless of how open things are… users definitely need to be made aware of the need to keep all their software up to date…

  7. Darknet 25 March 2006 at 5:38 am Permalink

    Great comment kurt, have to agree.

    A lot of it is to do with perception, and well the LAMP stack for example has been examined by many thousands more people than the core of Microsofts OS could have ever been looked at.

    Which would account for higher security, less flaws in the code in general and more transparency, which in turn passes less risk on to us.

    But yeah, homebrew projects can be terrible for security, and not all open source is good…look at sendmails record! Bring on Exim :)

  8. Haydies 28 March 2006 at 10:00 am Permalink

    “Open-source can be read by anyone. This automatically results in cleaner code” well, thats simply not true. I have seen some code that to be brutaly honest I would have cut my own hands off if I’d writen. There are more bad programmers then good ones in the world.

    I think the point no one seems to ever mention though is that windows gets more attention by more people trying to brake it then any thing else. So more problems are found.

    Also, with “common” solutions, closed or not, there is the problem that once a problem is found, a script writen to exploit it, then any monkey can use that. They don’t even have to know how the exploit works.

    The more people useing some thing, the more likely some one is to try it on. I don’t think the problems are in the OS, or the main parts such as PHP, or MySQL. Its normaly in the PHP code (or simular) that somes writen, then some one else has used. If you don’t understand it at all, how can you be secure? The problem for me is that there are lots of unskilled people downloading “free” software then assuming its all good, no ones got any come back, and half the time its writen by some one in a back room. Not always bad, but some times it is. No design, no formal testing…. but its free, so who can complain?

    Don’t get me wrong though, I use a lot of Open source stuff, PHP etc. But I don’t download other peoples code. I write my own. I like to think its more secure, but even if its not. At least it wont get taken by a script some one wrote to generaly exploit sites.

    :-)