Transvasive Security

the human factor

I started Transvasive Security in 2008 and offered consulting services until taking a full time job in 2012. This site is an archive of my work prior to 2015; I currently blog at information-safety.org and provide security consulting through my new company, Security Differently.

Freeware vs Payware: pick the product that best meets your needs

Is Open Source software more secure or less secure than Closed Source software? Usually, when people ask or answer this question, they are comparing free, open source software that is developed by a team of mostly volunteer collaborators against commercial software developed by for-profit companies; I will use the terms Open Source and Commercial to distinguish the two.

The relative security of open source and commercial software was a topic of considerable debate within the security community starting in 1999-2000. The proponents of open source software typically claimed that their software was more secure because it was free to be reviewed by anyone on the internet; volunteer security researchers and programmers could find and fix security problems better than traditional software publishers could. The commercial software publishers more or less argued the reverse; that criminals would find and take advantage of security flaws in open source software because it was freely available. By 2004, however, the debate was generally settled within the security community, and neither side won.

What security professionals found, was that there were security advantages and disadvantages of both open source (free) software and commercial (closed source) software. Starting in 2001 with the release of the “Code Red” worm, vandals, and later, criminals, began to take advantage of security flaws in both commercial software and open source software on a large scale. Looking at the attacks since 2001, it’s clear that there are advantages to both open source and commercial software, but what’s most important is how we manage the risk of software vulnerabilities. In general, open source software has more vulnerabilities made public, because they are easier to find, but they are typically patched more quickly, since the development process allows for faster changes. Commercial software has fewer public vulnerabilities, but it can take much longer for fixes to be developed and released. For both open source and commercial software, the best thing you can do to protect against attacks is to quickly deploy software fixes when they are released. Proper configuration & maintenance has proven more important to security than how the software is developed.

In almost all cases, security fixes for both commercial and open source software are released before criminals start taking advantage of the flaws they fix. Good security practices that reduce the impact of security flaws, and good maintenance practices that deploy fixes quickly provide the best protection against attack. “Zero-day” attacks, named because they happen ‘0 days’ after the vulnerability is discovered, and before the flaw can be fixed, are still uncommon, and affect both open source & commercial software. The biggest factor in 0-day attacks seems to be the number of people using the software, without regard to how it is developed. (This does tend to favor open source software, but only because it is usually not in widespread use) And if you have good general security, there’s not much more you can do to protect against a 0-day attack.

Publishers can improve their software development to reduce how frequently flaws are found, and also make it less likely attackers can take advantage of the flaws, but these practices are well known and can be used by both commercial and open source projects. OpenBSD, a free UNIX operating system, has followed strict development and design standards for many years, and as a result has had very few flaws. Microsoft started the Security Development Lifecycle in 2004, and largely as a result, the number of flaws in Vista, and now Windows 7 has steadily declined.

What’s really important is to buy the product you need. Unless you’re buying a security product, like a firewall, you’re buying something to meet a business need; security is only a secondary concern. I was recently asked if there are any security showstoppers when purchasing software. My response was, “no, not really, unless they do something stupid.” When comparing products, some will have better security than others, but most of the time, security weaknesses aren’t bad enough to stand in the way of picking the best product, and usually, better products have better security. The best way to make sure you understand products’ security weaknesses is to ask a security expert before you purchase, so you know the security costs for both installing and maintaining the system.

After you’ve purchased the product, spend time to understand & configure the security features of what you’ve bought, following the advice of your security expert, unless what they tell you would prevent you from using the product – in that case, find a new expert. Ongoing maintenance is just as critical, if not more so. Be sure to commit time for applying critical updates, including receiving update notifications, as well as any security administration. Configuration errors or missing patches affect all software, and good maintenance practices will prevent both.

If you outsource part or all of your IT, the decision remains the same. When you’re hiring a vendor to provide and support an application or other technology, it’s most important to find the vendor that best meets your business needs and practices. As with products, usually better vendors have better security, and good vendor management practices will also mean better security. Setting clear expectations of your businesses’ security requirements and due diligence are key, as, after all, security requirements are really just a specific type of business requirement. For software security, whether your vendor chooses open source or commercial packages, the question remains the same: how well does your vendor maintain the software? Are they monitoring for and regularly applying security updates? Are they configuring the software properly? Again, have your security expert review the vendor’s security program, and if they don’t meet your standards, find a new vendor.

For both open source and commercial software, the key to success is proper configuration and maintenance, and proper system management, or vendor management will keep your applications and systems secure.