Open Source

Does open sourcing security framework lead to more secure software?

Red Hat recently open sourced the Red Hat certificate system - software for managing user identities and privacy on a network. However, does open sourcing security software make it more secure, or does opening the code lead to vulnerabilities?

Red Hat recently open sourced the Red Hat certificate system - software for managing user identities and privacy on a network. However, does open sourcing security software make it more secure, or does opening the code lead to vulnerabilities?

An excerpt from Washington Post:

The Linux vendor said Wednesday it has released the entire source code for the Red Hat Certificate System, its security framework for managing user identities and transactions on a network. Red Hat acquired the system from AOL three years ago, but only parts of the system, which uses the Apache Web server and the Red Hat Directory Server, were open source.

There are several benefits in opening up the code, chief among them being the integration with open standards-based technologies. But open source also has this meta-hole problem mentioned by Dana Blankenhorn at ZDNet.

This implies that it all comes down to the individuals assessing the code. But does the community of open-source developers top the scrutinizing efforts of those seeking to exploit the holes that are inherent in software?

The present Red Hat Certificate System will be part of the freeIPA project for central management and provisioning of machines and services.

Do you think open sourcing security code is a security risk?

4 comments
Tony Hopkinson
Tony Hopkinson

the incredibly secure closed source some would have us use? Risk is relative. There's always a risk, how big is it? If you were promoting open source security, so you made it all open, so good guys and bad guys could see it, How likely is it that you'd make sure you hadn't made yourself look like a complete eejit before god and everybody, by leaving a flaw in there. If you were promoting closed source...... It's not really closed vs open , it's commercial vs 'free'. The erm compromises , often made in paid for software in order to satisfy commercial exigencies are 99/100 detrimental to code quality, which is security risk which ever way you look at it.

Penguin_me
Penguin_me

I'd like to start by pointing to Bruce Schneier's (Security Guru, look him up) blog - http://www.schneier.com/crypto-gram-9909.html - that was posted in 1999, but he has repeatedly said that open sourcing security protocols, algorithms etc. is better than leaving them closed. As closed source, people are still going to try and find ways to break the security, and you have to run around patching it and so on after. Open sourcing it means that anyone who wants to can look over the code, find any bugs, exploits etc. and submit a fix. You're never going to stop people from trying to find holes in security, and leaving it closed source evidently doesn't stop it. I'm not saying it's a "magic bullet", but surely having a few hundred people who code security for pleasure looking through the code is a good step ?

Neon Samurai
Neon Samurai

Visibility offers the difference between real security and an emperor?s lovely new robes. Is the security process actually providing a level of security or is it pretty but effectively usless. Real security is being able to stand in front of a rushing bus and know that when it gets to you, it will still have no effect. You (the security process) are fully visible but even with a visible process; security is maintained through real mechanisms rather than hidden secrets. Someone should be able to know each step in the process and still not be able to gain access without the applicable, tokens, passwords and attributes.

pr.arun
pr.arun

Thanks for that link. Open source does mean that more people get to scrutinize the methods that are used.