Open Source

Companies still concerned about open source security? Really?

Recently I read a survey done by the Forrester Research that claimed the majority of IT professionals are concerned about open source security. Jack Wallen decided maybe it was time to ask a few questions of Forrester and give them an analogy they can understand.

Really? Did I wake up this morning only to find that Dr. Emmett Brown successfully teleported me Back to the Future with his Delorean? Or are the majority of people polled by Forrester that clueless and is Forrester that irresponsible?

Let me break it down for you. In two reports done by Forrester ("The State of SMB Software: 2009" and "The State of Enterprise Software: 2009.") of the 2,227 people polled:
  • 58% of large companies had security concerns about open source.
  • two-thirds of small to midsized businesses had security concerns with open source.
  • 9% of enterprises said they were "very concerned" with open source security.
  • 45% of small to midsized businesses were "very concerned" with open source security.

I would like to ask both Forrester and those polled a few questions myself. To Forrester I would ask you:

  1. "Who is funding these surveys?"
  2. "Do you know anything enough about open source yourself to actually create a fair poll?
  3. What's with the large change between enterprise and SMB in the "very concerned" category?

To those polled I would like to ask:

  1. "Have you ever tried open source software?"
  2. "How's the security of your closed-source apps working out for you?"

I find surveys and polls of this nature very irresponsible. A headline such as, "Companies still concerned about open source security." tells the masses one thing: open Source software isn't secure. Now we all know that the vast majority of open source software is secure (not all of it, but most). Some open source software is far more secure than it's closed source counterpart. For those of us who have used both types extensively, those results raise red flags.

As yourself this question: If open source software is so much less secure than closed source software, then why does open source software not need so many third-party applications to secure it?

Another question for you to ask: If closed source software is so secure, then why is it that Microsoft, Norton, AVG, McAfee, etc. have to constantly update their security definitions to keep offending software out?

I want to use an analogy here (because now is a good time for one and because I like them). The analogy I will use is ye ole castle. We'll examine both open source and closed source ye ole castles.

The open source castle: This castle is built solidly. It's pleasant to look at, it works, it's been standing for years, never offends anyone, and has few enemies. But when that rare enemy does come to attack they quickly find very few ways of breaking through, or getting in. The walls of this castle are too strong to break. There is no moat keeping them from getting to the walls (the builders assumed the castle strong enough not to need such a thing.) And so the open source castle just remains untouched. Oh, and anyone who wants copies of the castle blueprints can have them free of charge. The closed source castle: This castle is very appealing. Its design leads the dweller and the citizens to believe the owner is very intelligent and very wealthy. When this castle was first built it had no moat. But over time the owners of the castle developed a number of enemies and the castle quickly revealed it had many weaknesses. Doers of bad things were able to come and go as they pleased it seemed. And so the owner of the castle doth bid his groundlings to build him a moat in order to keep out the ne'er-do-wells. At first this moat did a grand job of keeping out the riff and the raff. But over time said riff and raff built boats to get across the moat and the wrong doings commenced again. And so the owner of the castle filled the moat with deadly creatures. And so on and so on with the same results. Oh, and anyone wanting blueprints of the castle must be a member of a very elite group and pay a very hefty tax.

You get the picture. And just why the analogy? Sometimes I feel like the masses (including those masses that report "findings" as Forrester did) haven't the slightest clue what open source software really is and what makes up its security. To those people it takes such a simplistic analogy to get them to even understand the difference between open and closed source software.

I remember back in the late '90s how Gartner was found of lambasting open source software at every turn. And almost everything they claimed about open source was wrong. They said open source would fail as a server OS. Wrong. They said open source couldn't gain any traction on the desktop. Wrong. They said the security model of open source was flawed. Wrong. They said open source would damage the market. Wrong. Gartner needed a serious dose of castle analogy. Gartner eventually realized their folly and acknowledged the value of open source software.

I am not, in any way, saying the closed source software is bad. In general, it's not. I even use some proprietary software. What I AM saying is that until you have actually tried open source software you shouldn't be making such claims. I have used Windows in nearly all of its iterations. Although I have found it to be useful at times, I have had enough bad experiences with it to say, for me, it is not secure and reliable enough for my needs. As for your needs - I have no idea what they are, so I can't say open source will fit the bill. But if open source will meet your needs, I can say that most likely it will meet your needs much better than closed source software will.

I think the media (this includes survey groups and focus groups) needs to be responsible for their claims. As a whole, the masses actually take the opinions of these people seriously. Because of this, claims like "Businesses in North America and Europe remain broadly worried about the security of open-source software...." should include one of two things:
  • A big * indicating that those polled may not have ever given open source a try.
  • Who is funding the survey?

To that extent, maybe its time a fund is started within the open source community to pay for "research studies" that indicate such claims as "Majority of IT professionals say open source software is superior, in all ways, to its proprietary counterpart." Of course the biggest difference between this study and the other study is this study would come with a disclaimer saying:

"This study is protected by the GPL and can be modified, used, re-purposed, altered, sold, shredded, mocked, used as papier mâché, so long as the original source is included with any changes."

On a final note: If you go to the Forrester Research web site and do a search for open source software you will find plenty of surveys that extol the value of open source. So what gives? Why speak out of both sides of your mouth?

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

33 comments
Yonah
Yonah

Again, Jack leaves us wanting. What do we want? How about a real journalist? One who would have actually done some research to dig up the answers to the questions, rather than just leave them danging in the article. I can't stress enough how unprofessional this is. Castle analogies, really? This is supposed to be a tech website, not a mid-evil fantasy portal. I do love this money quote though: "I am not, in any way, saying the closed source software is bad", says the zealot with a Tux tattoo. You know our audience. The problem is, you don't know that WE know your audience too. Keep hackin' it, Jack.

Crash2100
Crash2100

Some programs can be made more secure than others, but no matter what, the more popular something is, the more security holes are going to be found, and the more it's going to get malicious security exploits made for it. Because, there is no such thing as flawless security. Also, the open source idea can be a double edged sword, things may be able to get fixed faster by anyone who wants to fix it, but security holes for malicious exploits can also be found just as easily this way.

sonicsteve
sonicsteve

I first would love to see the questions that were asked. I used to answer surveys about IT when they called and without exception I found each of them too limiting in the way they asked the questions. They guided your answers like a nose ring on a bull. Often I found myself abstaining from the questions and telling the surveyor that I protest to the question. You could smell the agenda from 100 miles away. When survey's start asking real questions to get unbiased results I'll start answering them again. I'm encouraged though that some larger company out there thinks enough about open-source to start attacking it. I love open-source software, it enables me to accomplish things at my school that would have cost thousands of dollars AKA just ain't gonna happen any other way other than open-source. This isn't to suggest that I would have spent the money on closed proprietary software if my budget would have allowed. The software I use is fabulous, I have no regrets in fact it gives me an edge.

rhys
rhys

A few points that struck me immediately: * Any IT professional should be concerned about OSS security. As mentioned above this concern should not be limited to OSS. * Any professional should know to read a report in context, and perform their own evaluation of the data (size, reliability, precision, method of gathering, etc). As such reports that are not transparent (eg having the survey format reproduced as an appendix, disclosure by the author) carry less weight. * If commenter's views are representative of the readership then this forum is pretty much "preaching to the converted". The people who I really want to listen to are people who: * have switched a business between an OSS solution and a Closed Source solution. * simultaneously support both OSS and Closed Source applications with comparable purposes. My own rant: I have always had respect for OSS and the principle of free knowledge behind it. In the workplace I am forced to tow the line and support the software the business decides to implement, which ends up closed source. This puts me in a position where any assertion I make about OSS security is of no more value than an end user. Sure I believe it is more secure. However, my anecdotal experience is as an end user looking after a single instance at home, not as an IT professional supporting a multitude of instances. Without a valid contrast any opinions should be viewed exactly as that: opinions. My opinions are not backed by my own first-hand experience as an IT pro, and it would be somewhere between foolish and dishonest for me to go on record as an IT pro saying "OSS is more secure". I am somewhat confused by the end of the article. It seems that there are conflicting views set out: * OSS is more secure albeit that there is some insecure OSS around. * Closed source is less secure, but much of it is still well written. It seems to me that too many generalisations are being thrown around for anyone's good. Should there be a blanket view of OSS? If I examine any two pieces of software there are two separate and distinct examinations that I must do. Saying that both pieces of software come from the same vendor, or same programmer do not make them alike, nor does classifying them by license make them alike in any other respect. They must be treated as distinct. The "many eyes" approach from OSS has some logic behind it but it is by no means perfect. Bear in mind that unlike the castle analogy the source of OSS is being constantly updated (I hope). This makes peer review a constant necessity, but there is no guarantee that every expert will review the code every update. Mistakes do happen, if you don't believe me take a look at a high profile successful OSS example Mozilla Firefox - they release security updates frequently enough. MS (Microsoft) claim that a many eyes approach is less secure because they have experts paid to scour the code for security holes. MS also have questionable policies about patching any holes found, so is the problem with their policy or their review process? Unfortunately it is all behind closed doors, there is no transparent process for anyone outside MS to see how many flaws are found or how quickly. It may well be that the MS approach of "expert eyes" is more valid than the OSS model of "many eyes" but we can't know this. All we can see is how frequently each is compromised. So I put forward that I am an OSS supporter (albeit disqualified from calling myself an IT pro at the same time), I believe in scepticism about reports, I believe that each piece of software should be evaluated separately, and I am open to the idea that Closed Source and OSS can be on par. Lastly (if anyone has read this far) comes the part that I consider may be inflamatory, but please remember it's just a stranger's opinion: Fuzzy thinking such as the license of a piece of software can/should be used as a predictor of the security of the software does nothing to credit the Open Source community. I'm sure that statistically I'm wrong but as they say statistics are about other people, or in this case about other software. My concern is about the security of a specific piece of software I'm looking at rather than the security of all software that can be grouped with it by license type. Maybe OSS is generally more secure but if you care about security, generally or mostly is not enough. It must be all or specifically the software you are looking at.

rngunter
rngunter

that most up-and-coming IT professionals are too young to remember the world before Windows and Mac?

Deadly Ernest
Deadly Ernest

question to ask a politician you don't like when you're a news reporter - "Excuse me Senator, have you beaten your wife lately?" No actual accusation he can do much, but it implies a lot. there is an art in asking survey questions; the great pity is less than one tenth of surveys are written by people skilled in this art. I don't remember where I saw the report, but about six years ago I saw a public copy of a US Department of Defense report on computer operating systems approved for use on classified systems. When you got away from the section marked 'Unclassified and Commercially Confidential' to the section marked 'For National Security Classification Systems' you did NOT find a single MS OS or application listed as approved for use. They were all Unix or Linux, with some Apple software as well. The majority of applications were Open Source applications or built in house for DoD and other government departments. I think that says all you need to know about the security of systems and software. I'd love to see the current version of that report.

bblackmoor
bblackmoor

The problem with empty headlines like "Companies still concerned about open source security" is that they tell you nothing and yet imply everything. You may as well say, "Study Reveals Pittsburgh Unprepared For Full-Scale Zombie Attack". What does this headline tell you? Is ANY city prepared for a full scale zombie attack? Is a full-scale zombie attack even remotely likely? The answer to both is "no". yet the headline implies that the answer to both questions is "yes". Should companies be concerned about the security of open source software? Of course they should -- and they should also be concerned about closed source software, as well as the firmware in their hardware, their physical security, and the safety of their employees in the parking lot. Should companies avoid open source software for "security" reasons? Of course not. Open source software is, in general, more secure than closed source software, and security flaws in open source software are more quickly corrected when they are found. The problem with polls like Forrester's (and those who conduct them) is not that the results are inaccurate (although they may be). The problem is that you won't get the correct answer if you do not ask the correct question -- and you have to understand the topic in order to ask the right questions. Forrester Research clearly doesn't. http://www.blackgate.net/blog/it-professionals-concerned-about-forrester-research-competence/

Jaqui
Jaqui

After all, I use open source exclusively. thankfully, I HAVE THE SOURCES and skill to fix any issues that crop up, so my open source systems are very secure. :)

CharlieSpencer
CharlieSpencer

without also asking the same people the same question as regards closed source software. For all we know, the results for closed source show more people concerned about its security than for OSS. Jack, did the results you see mention closed source responses? If so, would you mind linking to the results? If not, then the whole survey is pointless and there's not reason for you to link to it. I'm not comfortable with your assertion that the 'open source castle' is too strong to break, but I agree with your basic point. Surveys like this reveal nothing. "Lies, damn lies, and statistics."

Tony Hopkinson
Tony Hopkinson

Why wouldn't I be? If you aren't concerned you are insecure, aren't you? It would be interesting to see the poll form, looks like a guided question from Jack's post. Here's one for you, Are you concerned by street crime? Why would you answer no? It's OK though, this sort of tactic shows open source is winning.

LyleTaylor
LyleTaylor

Unfortunately, it's not the survey that disappoints me but the article. First, the survey doesn't purport that OSS is insecure, just that people have security concerns about it. Reporting the results of a survey that you appear to be taking to contradict other survey results is not speaking out of both sides of your mouth. The survey, in theory, does not represent the opinion of Forrester, but of the people they polled. Sure, the survey could be flawed, but the mere fact that you're appalled at the results does not mean that it is. Second, I don't buy the analogy, and it does nothing to make me think that OSS is any more secure - rather, it sounds a lot like FUD. If you really want to show that it's more secure, you need to prove your point with statistics, etc. There's nothing in here that shows any of your statements are correct. You might be taking that for granted, but if you're going to assert it, you've got to support it. Lastly, better questions to ask might be something like "Why do these companies have this impression?" "Who at the companies was actually polled (e.g., C-level, middle management, etc.)?" All that said, I'm not saying that I think OSS is any more or less secure than anything else. I'm just very disappointed in this article and the approach that was taken.

rduncan
rduncan

I think the reality here is that when we compare Two things based on One MASSIVE attribute i.e open / closed then that's all we are comparing, security cannot be factored without more attributes and thats why people in the OSS/free software camp got pissed off at the biasist survey in the first place. Security is everyones nightmare from ends users on up and should be managed at the physical layer primarality. If we're going to make arguments about models of development (many/eyes v expert/eyes) we're still not talking about security. The survey and it outcome are biast to the Open Source community who beleive that there MODEL for software development should be treated with the same respect as the closed source MODEL. my two cents is that the open source (not freeware) model is better and I wish the developers all the luck in the future in overcoming the STIGMA attached to working for the community at large, sharing your knowledge, building communities and taking $$$$$???????? out of the picture. Check out www.moodle.org the best developed and supported VLE ever conceived to see what I'm talking about, use the software- it's free, it's been developed for you, don't let their expert eyes fool ye

Slayer_
Slayer_

You said you use open source because it is free. However, there are tons of closed source applications that are also free. If it is open source, it pretty much has to be free, but something can be free without being open source. You should try to remember that.

Tony Hopkinson
Tony Hopkinson

Theres no reason why closed source can't be secure, or that open source can't be insecure. There's no reason why a team of experts can't close up more holes, than a group of well meaning interested parties with varying skill levels and knowledge and vice versa. What you can say about OSS though. Is there is no commercial advantage in not fixing an issue, there's no commercial advantage in creating one and there's no way that you can claim a deliberate lowering of security for commercial advantage was an individual devloper making a mistake, if of course you are doing it properly. Security by obscurity isn't a tool, it's an excuse.

rduncan
rduncan

Surely for developers and adminstrators the pros of OSS is well- access to the source, this- when you know what you are doing and have a good security policy you can wave around is empowering on all levels- for modding, hacking, locking down, porting etc etc. however - what comes with absolute power? yep- absolute corruption, and I feel that it is this absolute power which OSS offers that makes IT managers and other execs 'very concerned'. OSS is a secure as you want it- make it or ask the community to develop it. closed source is a secure as it's made with the buyer in mind. anyway I hate religous wars and soapboxes. I agree the survey is rubbish but won't affect OSS or the new generation adopting OSS

csmith.kaze
csmith.kaze

"is ANY city prepared for a full scale zombie attack?" Mine is. I am on the board of the Zombie Defense Initiative (ZDI) here. We have drills and train everyday people on the finer arts of zombie killing with equipment found around the house. Like records, baseball bats, and the ever fun Molotov cocktail. We can truthfully say we are the most ready city for the inevitable zombie uprising that will come. You should start your own local ZDI branch. We have t-shirts. (sorry, you left yourself open, and I couldn't help it. I agree with you though.)

misceng
misceng

In UK there was a TV programme called "Yes Minister" A survey was suggested and the Senior Civil Servant asked what conclusion the survey should come to. He then asked two sets of questions about the subject so that the logical outcome from answering the first set led to exactly the opposite result from answering the second set. This illustrated that the questionnaire defines the outcome.

jlwallen
jlwallen

but harder to break. the only machine that is impenetrable is the machine that is not turned on.

jlwallen
jlwallen

the survey itself was very one sided. that was sort of my point...that obviously didn't come across.

csmith.kaze
csmith.kaze

they should read: "do you think open source programs are less or more secure than close source". of course, as a OSS user I prefer OSS over closed source, but bugs are a part of life. What I like are the extremely fast turnarounds on OSS over closed source. I do believe that OSS is more secure, inherently. I am concerned about security in all my apps, closed or not.

jlwallen
jlwallen

the survey - and many like them - are very one sided. when i see such surveys i immediately think they were funded by someone with special interests. what really gets me is that these things forgo a very important lesson they learned in basic chemistry - you have to have a control group. for this survey to actually have been valid they would have needed to pose similar questions regarding closed source software. they didn't. what should have been asked is something like this: 1. Do you use open source software? 2. Are you concerned about the security of open source software? 3. Are you concerned about the security of closed source software? 4. Which poses a greater security risk to your enterprise: open source software or closed source software? 5. What measures have you taken to test the security of either open source or closed source software? Those questions would result in a much more viable survey.

jlwallen
jlwallen

security is the nightmare of everyone. and the survey question was posed in such a way that it addressed only general security. just how would you answer: are you concerned about security in your enterprise? you would say, decidedly, YES. it wouldn't matter what model you used or what type of software you used. now if you pose the question: which model is more fundamentally secure, open source or proprietary? you have a much clearer idea of what those asked thought. i have spoken with plenty of people on this issue (media and IT admins) - and the general feeling is that surveys and focus groups are useless and they generally only find what upper management want them to find. now if you ask upper management types you will get a completely different answer. you will find that upper management depend upon the findings from these surveys because they give them NUMBERS which they can translate to dollar amounts. on top of that, CEOs and upper management have this strange idea that if you pay for something it has value. i am sure that everyone here has paid for something that had little value.

sonicsteve
sonicsteve

Is that often I've found over the years that "freeware" close source free as in $ software is often developed by very small groups of people and sometimes just one individual. While I'm sure this isn't always true I think it likely pans out this way because it's hard to get a team of people together to buy into a closed source idea. This is just my opinion I have no numbers to support it. I know it's also true that some open source projects have a small teams. One problem beyond that for close source free is that if the developer looses interest the project has no choice but to die. While open source could in theory be passed on to a new group. I know that arguments could go back and forth on this, from open source fragmentation to why develop free closed source in the first place? If you don't want to charge why not let others improve it? You could then get their code and improve on it again! In the end I think open source free simply makes more sense if you're going to offer your software for free.

sonicsteve
sonicsteve

You're right I didn't really explain all my reasons. 1. Free as in freedom 2. I do think that for well established opensource apps more eyes means better security. 3. Free $0.00 is good also, though I have donated to some of the projects. It's impossible to support them all. 4. Different projects can spin off the original. 5. If my neighbor likes it I can help him. I know that people deserve to make a living. The trouble is though that many parts of the world simply cannot even contemplate paying for their software. As time goes by this creates an enormous social divide. Open source means that if Joe-Developed nation guy wants to spend money on his SLED linux he can and he'll get great support. But Joe-undev nation guy can still get open-suse and still have pretty much the same experience without the social divide. Computers are communication devices of our time. If you can't communicate you can't succeed. Telling a financially poor person from the Congo that they can't run a computer because they can't pay for the software means they will either obtain their software illegally or .... open source. We can't ignore this.

bblackmoor
bblackmoor

Right, then. I shall head to Jackson, Mississippi when the zombie apocalypse arrives.

Deadly Ernest
Deadly Ernest

I've looked into this at one point because I've noticed a major change in how Hollywood portrays zombies. They come from old Voodoo legends - the zombie of Bernie in 'Weekend at Bernie's 2' is a perfect example of a Voodoo zombie - a brainless animated corpse that only does exactly what it's told. The Hollywood w a n k e r version of a murderous killer zombie is all Hollywood BS hype. So no one has to be worried about an attack by zombies. However, there is a third type of zombie, that created in Washington DC and often called a Senator or Congressman (the worst is the type called President) - these are very harmful and dangerous zombies, but they do their evil through laws and evil government agencies. Try http://en.wikipedia.org/wiki/Zombie

Tony Hopkinson
Tony Hopkinson

the security by obscurity believers though. A lot of them have been indoctrinated since birth. Whthe OSS is more secure or not, if it isn't percieved as such or mispercieved then that has to be addressed. Us propeller heads knowing we are right,isn't a big help.

LyleTaylor
LyleTaylor

That makes sense, and I agree with that.

Slayer_
Slayer_

Is the ability to "Take credit" for your work lost when your code is or becomes open source. Perhaps free closed source developers do not want their project to be come someone elses. Kind of like if you build your own house, you probably don't want random strangers coming in and rebuilding your house.

csmith.kaze
csmith.kaze

its a tad to the north. I just work in jackson :)

csmith.kaze
csmith.kaze

:) those indoctrinated at birth are not going to have much a career once Windows becomes a horrible nightmare long past. There are defiantly advantages to the bazaar style of software creation. Being able to stand the test of time is one. I seriously don't think that Ms will be the same company it is today in five years. I think gears will be shifted. and the os wars will have ended with the *nix's on top. (could be wistful thinking, but I do believe that UNIX and UNIX-like OS's are the future. Maybe Ms will come out with a UNIX clone. god knows they need something. NT is showing its age and it isn't pretty)

zyphlar
zyphlar

His point about the open-source security model being more sound than the closed-source model is quite sound, if overly simplistic in the analogy. The premise is that no organization has enough eyes to make every line of code as secure as possible, so the act of allowing the public to see (and possibly edit) the code will bring accountability, trust, and ultimately more security to the software. The two competing ideologies are very similar to representative-government and democratic-government. Who do you trust more, the elite or the masses, and what happens if either one abuses that trust?

Editor's Picks