"Roy Schestowitz" <newsgroups@xxxxxxxxxxxxxxx> wrote in message
news:2416255.EkMSHEJyIH@xxxxxxxxxxxxxxxxxx
'Wide open' means extra security
,----[ Quote ]
| There's a reason nearly every security appliance vendor uses open
| source tools, and it has little to do with licensing. The vast majority
| of these devices -- ranging from spam and spyware filters to network
| scanners to intrusion detection and prevention systems -- are not only
| built on an open source platform such as Linux or FreeBSD, but they also
| actively use other open source products to accomplish their given tasks.
`----
http://www.computerworld.com.au/index.php/id;979702586;fp;2;fpid;3
There is mental barrier. People naturally think that closed=secure and
open=exposed. In reality, it's the very opposite.
Some interesting further reading:
http://www.theregister.co.uk/2003/02/12/open_and_closed_security/
<quote>
Open and closed approaches to security are basically equivalent, with
opening a system up to inspection helping attackers and defenders alike.
That's the surprising conclusion drawn by Cambridge don Ross Anderson during
a well-received talk to a Linux User Group at London's City University last
night.
[...]
Whichever model of security is used the fight favours attackers over
defenders. That's because it's so much easier to find new exploits than to
identify bugs that might lead to the development of exploits.
According to Anderson, attackers have a constant factor advantage over
defenders even if source code is not available to those on the "dark side".
Audience members quizzed Anderson on his theory that the rate of which bugs
are found helps attackers and defenders by the same amount.
His response to this, which draws on some detailed statistical analysis
work, is best explained by reference to his paper (PDF) on the subject.
In response to our questions, Anderson said his paper fleshes out what those
in the security industry know through common sense.
The real value of Anderson's work seems to be in laying down a theoretical
framework for a discussion of the economics of security.
Even Anderson, arguably Britain's top academic focused on IT security,
acknowledges that working out how to provide incentives for security to IT
suppliers is a "hard problem", given the complex inter-relationship of
different components in real systems.
</quote>
http://news.zdnet.co.uk/business/0,39020645,2112227,00.htm
<quote>
In his paper, computer scientist Ross Anderson used an analysis equating
finding software bugs to testing programs for the mean time before failure,
a measure of quality frequently used by manufacturers. Under the analysis,
Anderson found that his ideal "open-source" programs were as secure as the
"closed-source" programs.
"Other things being equal, we expect that open and closed systems will
exhibit similar growth in reliability and in security assurance," Anderson
wrote in his paper.
[...]
However, the paper has yet to be peer-reviewed and errors in his assumptions
could undermine his theory. Furthermore, he acknowledged that real-world
considerations could easily skew his conclusions.
"Even though open and closed systems are equally secure in an ideal world,
the world is not ideal, and is often adversarial," Anderson said.
For example, the same quality that makes it easier to find bugs in
open-source code may also make it easier for attackers to find ways to
exploit the code. On the other hand, software makers may be less quick to
assign resources to fixing flawed software and may not want to admit that
such flaws exist for economic reasons.
Oddly, Anderson used the latter third of the paper to launch into a
criticism of the Trusted Computer Platform Alliance, a security consortium
started by Microsoft, Intel, Hewlett-Packard, Compaq Computer and IBM in
October 1999.
While they claim their focus is on security, it's really on creating a
platform from which competitors can be excluded, he argued. Furthermore, the
alliance's technology for assigning a computer a unique ID is really another
arrow in the quiver of Hollywood and music companies to fence off their
content.
</quote>
http://www.securityfocus.com/columnists/269
<quote>
Although this might seem to imply that open source projects are going to
have less vulnerabilities than closed source projects, that's not really the
case either; the number of vulnerabilities present in a given system
can't be simply associated with the openness of its source code. Ultimately,
it's about the way the project and its developers handle and integrate
security.
[...]
Ultimately, when it comes down to it, security is about more than just being
closed source or open source, its about a process. Which brings me to
something that I really like about the open source concept - I can see how
well tuned that process is, and I don't have to take someone else's word for
it. And in the end, it's always easy to put trust into your own
observations, and not someone else's.
</quote>
- Oliver
|
|
