Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday!

One of the more entertaining aspects of being
involved with Internet and information security is predicting how
long it will take a hacker to break or exploit a system or program
assumed to be secure. I’ve said it before, and I’ll say it again:
With very few exceptions, all software has bugs.

Whether these bugs present a risk for
exploitation depends on the software and if any intruders are
actively trying to find holes to exploit. I use the term intruder rather than hacker
because worms and viruses are more likely to identify and exploit
vulnerable systems than people these days.

(That’s not to say that hackers don’t break
into systems. Hacker incidents like
what happened to T-Mobile are more common than what the media
would lead you to believe.)

What companies and users unfamiliar with the
technical details of computing don’t realize is that commercial
software bases its claims of “security” more on guesswork and hope
than reality. Software marketing relies heavily on so-called
“independent” testing and certification, but the software companies
are the ones that pay for that testing and certification.

Then again, what software company is going to
advertise its products as “somewhat secure” or “very possibly
secure”? But that’s actually closer to the truth.

Some people, myself included, estimate that the
cost of eliminating half of the bugs in commercial software far
exceeds the revenue generated over the lifetime of the product. Of
course, companies could recoup some of this cost by drastically
increasing prices. But commercial software companies are already
competing with open source software, and raising prices isn’t going
to bring them any new customers.

One of the main reasons I’m such a harsh critic
of commercial software companies is because they didn’t bother to
address the security and reliability concerns of their products
until open source software became a serious enough threat to their
business.

I’ve used both commercial and open source
software for more than 25 years, and I honestly believe that
commercial software has fallen far behind open source software when
it comes to security and reliability, not to mention the fact that
open source software costs much less to support.

Despite many commercial software companies’
claims about the security of their products, open source software
is very difficult to compete with when it comes to security.
Because of its worldwide use in research, open source software is
always on the cutting edge of security. I trust open source
software because I know a lot of other people have seen the same
code I’m seeing.

It’s important to remember that security is not
simple, nor is it absolute. Developing secure software is an
expensive, difficult, detailed, and time-consuming process.

Competing effectively with open source software
requires commercial software companies to commit to producing a
secure product that’s better than what users can get for free. Only
time will tell whether commercial software companies can focus on
this task.

But until the hype lives up to reality, I’ll
continue to use open source alternatives to commercial software.
The software is genuinely more secure, which I know because I’ve
seen the code myself.