Security flaws plagued two stalwart open-source products, Linux and PHP, during the last month.
Late in February, a vulnerability in PHP, a popular Web scripting language, was found that could allow an attacker to execute arbitrary code on a server running PHP. Just a couple of weeks ago, a flaw in the software compression library in Linux left machines running it open to attack over the Internet.
For some, the flaws highlight the fact that software -- whether open or closed source -- will contain mistakes. If anything, the organizational structure of open-source software lends itself to reporting such flaws, where by contrast, a vendor of a closed source product may hesitate announcing a flaw because of worries about the bottom line.
Generally, the security of an operating system is a function of its maturity, said Eric Hemmendinger, research director for security and privacy at Boston-based Aberdeen Group. Operating systems such as OS/390 and OS/400 are very mature and one never hears about security flaws found in them. "Any of them would have been found years ago," he said.
Much is the case with Unix flavors such as Solaris, HP-UX and AIX. Microsoft's NT/2000/XP "is not as far along in its lifecycle," Hemmendinger said. Also, Windows has a large user base (and attacker base) so flaws tend to come to light quickly. Linux is even earlier in its lifecycle than Windows.
Linux, however, may be spared some of the hurdles that Windows has faced because of its open source nature, Hemmendinger said. When a lot of eyes are able to view the source code, flaws are spotter faster than when an operating system comes from a single supplier, he said.
Jason Taule sees another benefit of being able to seeing the code from a user's perspective. "Access to source means we can conduct a more thorough evaluation of its security and therefore do a better job of managing risk," said the director of information and systems security of Baltimore-based Ajilon,
Beyond just seeing the code, one is able to change it with open source. That comes in handy when doing a specific installation, Taule said.
Open source under constant scrutiny
Both Linux and PHP are part of a very popular collection of open-source software sometimes referred to as LAMP. The Apache Web server and MySQL database round out the group.
Security is different with open source than closed source because it's "scrutinized by thousands (if not tens of thousands) of people, and tested by millions," said Marten Mickos, MySQL's CEO.
"Our software is downloaded 20,000 times per day from our Web site, which means that any new version that goes out instantly is being scrutinized and tested by tens of thousands, and any problems are fixed before the software reaches the mainstream users," Mickos said.
The biggest flaw to be found so far in MySQL was in version 3.23.31. Someone found a way to use a wrong SQL statement to generate a stack overflow, that could possibly make the MySQL server execute external code, Mickos said. The hole, however, could only be used by someone with an account on the MySQL server.
A patch for the flaw was issued within 24 hours and a new MySQL binary release was issued within 72 hours after the bug was reported, Mickos said.
Yet Mickos notes MySQL can only be as secure as the operating system it runs on.
Apache has clean track record
Similarly, most security issues with Apache involve the underlying operating system more than the Web serving software itself, said Jim Jagielski, senior engineering consultant at Covalent and a member of the Apache Software Foundation board of directors. "It relies so heavily on the operating system."
However, there have been no recorded CERT alerts for Apache, noted Randy Terbush, Covalent's chairman and CTO and one of the original developers of Apache and an Apache board member.
Both Jagielski and Terbush credit Apache's open source nature as the reason it has had a good security track record. Literally thousands of people scan the source code looking for potential problems. Even some white-hat hackers look at the code specifically for areas that might be exploitable by attackers, Terbush said.
The driving force behind Apache is a little different then proprietary applications. The Apache Software Foundation is not bound like a private software company to release a new version each year whether it's ready or not. The board takes a lot of pride in releasing good, secure code, Jagielski said.
Whether open or closed, solution must work
Yet, the open source nature of Linux, Apache, MySQL and PHP is probably not the main reason users implement them. They are used because they work well. "At the end of the day, they choose the best alternative to solve their problems," Hemmendinger said.
That has been Brad Gruber's experience. Gruber is president of Relief Data Services, a full-service information technology company in Uniontown, Ohio. "Open source in itself is not really a factor as much as the overall value of the business solution," he said.
Some of Gruber's clients ask about open source if they are not already using it. "A few of our clients don't even want to hear the words 'Linux' or 'open source.' These are the people that have bought into the fallacy that open source is not secure," he said.
Gruber rejects the argument that open source is not secure but he also questions whether it is innately secure. All software needs to be configured properly to be secure, he said.