ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Is Open Source Really So Much More Secure By Nature

    Scheduled Pinned Locked Moved Water Closet
    202 Posts 13 Posters 35.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @1337
      last edited by

      @Pete-S said in Is Open Source Really So Much More Secure By Nature:

      That's a sad argument and false. You have provided zero proof, because there are none.

      YOU provided proof yourself!

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @1337
        last edited by

        @Pete-S said in Is Open Source Really So Much More Secure By Nature:

        Just show us just one simple peer reviewed research paper that shows us that open source is more secure by nature.

        Show us one that isn't sponsored by a vendor or VAR that says closed source can approach open source in security.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller
          last edited by

          The problem here is that the argument isn't something that peer review is going to tackle, because the question is akin to asking why the sky is blue. Open source is so obviously the more secure process, that's no one would understand what needs to be explained.

          It's like asking for a peer review as to why locking your door is more secure than leaving it ajar. People would be flabbergasted if you asked them such a thing. As I'm shocked now.

          The question is actually that you want a peer reviewed research paper showing that taking security seriously and providing mechanisms to encourage security both technically and through human/business/peer/market pressure rather than using obscurity to hide mistakes and remove pressure to be secure is more secure?

          Literally the big difference between the two is "one is about promoting security, and one is about undermining it." That's what we are actually discussing.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            Here's another great way to look at it...

            The desire for a peer reviewed article to prove the point is telling. When it comes to security, you want peer review.

            But that's the point of open source: peer review.

            ObsolesceO 1 Reply Last reply Reply Quote 0
            • ObsolesceO
              Obsolesce @scottalanmiller
              last edited by

              @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

              Here's another great way to look at it...

              The desire for a peer reviewed article to prove the point is telling. When it comes to security, you want peer review.

              But that's the point of open source: peer review.

              Just write secure code, problem solved.

              1 Reply Last reply Reply Quote -2
              • scottalanmillerS
                scottalanmiller
                last edited by scottalanmiller

                I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric.

                "In conclusion, open source does not pose any significant barriers to secu-
                rity, but rather reinforces sound security practices by involving many people
                that expose bugs quickly, and offers side-effects that provide customers and the
                community with concrete examples of reusable, secure, and working code."

                However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure."

                So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • DustinB3403D
                  DustinB3403
                  last edited by

                  The underlying issue is that Microsoft (or any closed source software company) aren't motivated to make their software securely, because it cost a ton of money to do that.

                  And instead of writing secure software, they pay for "peer reviews" saying that nothing can be secure because of other random reasons. . . .

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                    I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric.

                    "In conclusion, open source does not pose any significant barriers to secu-
                    rity, but rather reinforces sound security practices by involving many people
                    that expose bugs quickly, and offers side-effects that provide customers and the
                    community with concrete examples of reusable, secure, and working code."

                    However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure."

                    So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas.

                    LOL - yup, that's what I read 😛

                    scottalanmillerS 1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                      @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                      I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric.

                      "In conclusion, open source does not pose any significant barriers to secu-
                      rity, but rather reinforces sound security practices by involving many people
                      that expose bugs quickly, and offers side-effects that provide customers and the
                      community with concrete examples of reusable, secure, and working code."

                      However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure."

                      So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas.

                      LOL - yup, that's what I read 😛

                      Haha, it was definitely not a good thesis. It had some good points, but got lost and focused almost entirely on anything but the topic and by the end, was so distracted, that they no longer even considered the topic.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                        @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                        @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                        I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric.

                        "In conclusion, open source does not pose any significant barriers to secu-
                        rity, but rather reinforces sound security practices by involving many people
                        that expose bugs quickly, and offers side-effects that provide customers and the
                        community with concrete examples of reusable, secure, and working code."

                        However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure."

                        So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas.

                        LOL - yup, that's what I read 😛

                        Haha, it was definitely not a good thesis. It had some good points, but got lost and focused almost entirely on anything but the topic and by the end, was so distracted, that they no longer even considered the topic.

                        Oh - I was only replying to your post.. not the whole paper

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                          @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                          @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                          @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                          I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric.

                          "In conclusion, open source does not pose any significant barriers to secu-
                          rity, but rather reinforces sound security practices by involving many people
                          that expose bugs quickly, and offers side-effects that provide customers and the
                          community with concrete examples of reusable, secure, and working code."

                          However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure."

                          So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas.

                          LOL - yup, that's what I read 😛

                          Haha, it was definitely not a good thesis. It had some good points, but got lost and focused almost entirely on anything but the topic and by the end, was so distracted, that they no longer even considered the topic.

                          Oh - I was only replying to your post.. not the whole paper

                          Oh, I read the entire 22 page article. It wasn't all bad, but it was clear that no one with an understanding of the topic was involved because it basically had a tiny amount about the topic, and a huge amount lost talking about unrelated things like social engineering and investment dollars rather than the licensing.

                          But it was suggestive that they spent most of the paper trying to come up with excuses for why closed source was still acceptable even though all evidence and logic pointed to the contrary by trying to show that what matters is something else. And that's true, the source licensing is not the biggest factor... but it's the factor being discussed. They definitely resorted to misdirection to try to downplay a conclusion that they were aware of.

                          DashrenderD 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                            @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                            @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                            @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                            @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                            I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric.

                            "In conclusion, open source does not pose any significant barriers to secu-
                            rity, but rather reinforces sound security practices by involving many people
                            that expose bugs quickly, and offers side-effects that provide customers and the
                            community with concrete examples of reusable, secure, and working code."

                            However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure."

                            So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas.

                            LOL - yup, that's what I read 😛

                            Haha, it was definitely not a good thesis. It had some good points, but got lost and focused almost entirely on anything but the topic and by the end, was so distracted, that they no longer even considered the topic.

                            Oh - I was only replying to your post.. not the whole paper

                            Oh, I read the entire 22 page article. It wasn't all bad, but it was clear that no one with an understanding of the topic was involved because it basically had a tiny amount about the topic, and a huge amount lost talking about unrelated things like social engineering and investment dollars rather than the licensing.

                            But it was suggestive that they spent most of the paper trying to come up with excuses for why closed source was still acceptable even though all evidence and logic pointed to the contrary by trying to show that what matters is something else. And that's true, the source licensing is not the biggest factor... but it's the factor being discussed. They definitely resorted to misdirection to try to downplay a conclusion that they were aware of.

                            What a min - where did licensing come into this conversation? I thought we were talking about security of code open source vs closed source?

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @Dashrender
                              last edited by

                              @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                              @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                              @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                              @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                              @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                              @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                              I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric.

                              "In conclusion, open source does not pose any significant barriers to secu-
                              rity, but rather reinforces sound security practices by involving many people
                              that expose bugs quickly, and offers side-effects that provide customers and the
                              community with concrete examples of reusable, secure, and working code."

                              However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure."

                              So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas.

                              LOL - yup, that's what I read 😛

                              Haha, it was definitely not a good thesis. It had some good points, but got lost and focused almost entirely on anything but the topic and by the end, was so distracted, that they no longer even considered the topic.

                              Oh - I was only replying to your post.. not the whole paper

                              Oh, I read the entire 22 page article. It wasn't all bad, but it was clear that no one with an understanding of the topic was involved because it basically had a tiny amount about the topic, and a huge amount lost talking about unrelated things like social engineering and investment dollars rather than the licensing.

                              But it was suggestive that they spent most of the paper trying to come up with excuses for why closed source was still acceptable even though all evidence and logic pointed to the contrary by trying to show that what matters is something else. And that's true, the source licensing is not the biggest factor... but it's the factor being discussed. They definitely resorted to misdirection to try to downplay a conclusion that they were aware of.

                              What a min - where did licensing come into this conversation? I thought we were talking about security of code open source vs closed source?

                              OH - the type of license applied to the source.. nevermind - I get it.

                              But wait - open vs closed isn't the biggest factor for security in code? then what is?

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                                But wait - open vs closed isn't the biggest factor for security in code? then what is?

                                The quality of the code being written.

                                DashrenderD 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller
                                  last edited by

                                  There are SO many factors that go into making code, and all of them play a factor in the security of the final product.

                                  Some of the factors that play in...

                                  1. Skill level of the developers.
                                  2. Security mindedness of the organization.
                                  3. Priority given to security.
                                  4. Security training.
                                  5. Code Auditing.
                                  6. Licensing
                                  7. Market pressure for security.
                                  8. Legal penalties for insecurity.
                                  9. Passion for project.
                                  10. Development environment and ecosystem.
                                  11. Tooling
                                  12. Project Management
                                  13. Deadline Management and Time Pressure
                                  14. Type of software being written.
                                  15. Ecosystem of libraries and components.
                                  16. Architecture and design of software.
                                  17. Up to date tools and libraries.
                                  18. Value of compromising system.
                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    For example, in one of the articles it was pointed out that Microsoft's culture made it hard for them to retain highly skilled developers and that they relied very heavily on smart, but inexperienced, college grads. This means that they aren't leaning on those that are most competitive (those tend to be hired before college) nor on those that have built up the best reputation (highly experience) as both of those were being poached by other, more competitive firms. So Windows was (and still is, we assume) suffering from having to be made by people with less overall experience and less overall skill than are going to other firms, while having less political clout to push for good things in the environment.

                                    The latter is more important than it seems. Very companies make it comfortable for a junior developer to take personal career risks to push for things like performance or security. Those things put their careers in jeopardy and offer little to no potential reward. And as a junior, you lack the reputation to push through an agenda that a PM might not want, and almost certainly lack the confidence to attempt it.

                                    MS also lacks being a "sexy" place to work. It's not something you brag about. In fact, in many cases, it's a big embarrassing. Heck, they hired our community's famous drunk that is all but banned from any professional event because he constantly shows up wasted and harasses the speakers and pukes at the event (for real.) This is the bar for being an MS engineer. I'd be ashamed to be associated. Their behaviour in this community is utterly unprofessional as well. Bottom line, coming home from a sweet startup making something amazing is likely to drive a lot more happiness at work than being a grunt working at MS where most people who learn where you work are happy for you that you have a job, but ultimately feel badly for you that you failed to get into a place you were hoping to get and had to settle.

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                                      @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                                      But wait - open vs closed isn't the biggest factor for security in code? then what is?

                                      The quality of the code being written.

                                      yeah, I did think of this as I was writing the question... but it seemed so obvious as to be beside the point of the discussion at large.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                                        @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                                        @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                                        But wait - open vs closed isn't the biggest factor for security in code? then what is?

                                        The quality of the code being written.

                                        yeah, I did think of this as I was writing the question... but it seemed so obvious as to be beside the point of the discussion at large.

                                        One could say the same thing about source licensing, though. It's very similar. Open is a means to enhance security, closed is a way to cover up security failings. Just like well written code is a way to make it more secure and buggy or sloppy code is a good way to have vulnerabilities. They both fall under the "should we have to say it" category in the same way, and yet, we do.

                                        But certainly, when the question comes to "what's the biggest factor", well code quality really is it. A lone coder, with zero review, no oversight, no budget, closed source... who writes truly breathtakingly perfect code is the best option. Not one that anyone gets to prove is good, but the resulting code will be the best. It's absurd, but it's important to remember that all other factors become moot if the original code is nearly perfect.

                                        DashrenderD 1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                                          @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                                          @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                                          @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                                          But wait - open vs closed isn't the biggest factor for security in code? then what is?

                                          The quality of the code being written.

                                          yeah, I did think of this as I was writing the question... but it seemed so obvious as to be beside the point of the discussion at large.

                                          One could say the same thing about source licensing, though. It's very similar. Open is a means to enhance security, closed is a way to cover up security failings. Just like well written code is a way to make it more secure and buggy or sloppy code is a good way to have vulnerabilities. They both fall under the "should we have to say it" category in the same way, and yet, we do.

                                          But certainly, when the question comes to "what's the biggest factor", well code quality really is it. A lone coder, with zero review, no oversight, no budget, closed source... who writes truly breathtakingly perfect code is the best option. Not one that anyone gets to prove is good, but the resulting code will be the best. It's absurd, but it's important to remember that all other factors become moot if the original code is nearly perfect.

                                          I guess I am currently looking at coding from a profitability POV. Open source seems to be much more difficult to make profitable. I mean I suppose you could use the same licenses MS has today on open source code, but how many people would still simply steal it?
                                          This was the argument of music companies... stealing became easier than buying. Only once the buying became easier than ripping did that really change.

                                          JaredBuschJ scottalanmillerS 4 Replies Last reply Reply Quote 0
                                          • JaredBuschJ
                                            JaredBusch @Dashrender
                                            last edited by

                                            @Dashrender said in Is Open Source Really So Much More Secure By Nature:

                                            Open source seems to be much more difficult to make profitable

                                            Of course it is. @scottalanmiller said as much about his own company.

                                            @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                                            The benefits of close source (and you can trust me, I run a closed source software firm) are 100% to the vendor keeping their technology out of their competitors hands. Closed source often makes it easier to make money on software where customers are unlikely to pay for support. That's it. That's the only benefit (but it's a big one), but the benefit exists only to the company selling access to the code. From the customers' perspective, every closed source product would be equal or better if opened.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 10
                                            • 11
                                            • 4 / 11
                                            • First post
                                              Last post