Open Source vs. Commercial Software Security

Friday, December 10, 2010

Rafal Los


I seem to have touched a bit of a nerve with one of my previous posts, Small Office, Big [Software/eHealth] Problems.  

Some of you brought up a few issues here, including whether Open Source software is "more or less secure" than commercial software, or whether small offices (specifically medical practices) are at a higher risk than larger ones simply due to their operating model. 

So while I've had a few side conversations, and Alan Shimel wrote up a rebuttal to my post, I sense that these conversations are all still missing the same points, so here's a wrap-up of my thoughts, more concretely, on the whole debate over Open Source vs. Commercial software as it pertains to software security.

It's not really about security

That's right, unless a piece of software explicitly says its aim is to be more secure then whether it's open source or a commercial software package doesn't matter.  Software can be written securely (or conversely, insecurely) by an open-source project (as my post points out) or a commercial vendor - it's all a matter of priority. 

Most software is written for a specific purpose, and whether its written for a doctor's office, or  the International Space Station... the purpose is the goal.  If the goal isn't to write secure software, then odds are security gets little or no attention on matter who wrote the code.

On that note, how many pieces of software have you ever seen that had the primary marketing pitch as "security"?  More to the point - how many of those software packages have sold high volumes in the mainstream (non-specialty) market?  The answer is probably either none, or almost none for most people.

Software sells because of features.  Features are most-often the widgets, gizmos, and do-hickeys that cause us security folks sleepless nights.  This cycle is unfortunately self-perpetuating and unfortunately unless there is a compelling event somewhere that causes a shift in the development mentality this will continue.  Software will continue to have security as an after-thought, with most software being written to get people to buy for the cool shiny buttons and widgets.

So you see... at the end of the day, it's really not about security.  Whether software is open-source or commercial I think the quality in relation to security defects isn't much different.

But commercial vendors have accountability

While this may be a common mis-conception, I just don't see it as holding any water in an argument.  Sure you can hold a commercial vendor accountable for a piece of software being riddled with security defects that lead to a massive breach, but ultimately what matters in the court of public opinion is that you got breached.  The software is simply a vehicle for the breach, often barely mentioned (if ever). 

A medical practice that suffers a significant data breach of their patient health record system makes the headlines and the evening news, while the software (and whether it was open source or commercial) rarely gets a mention. 

Odds are that you may be able to sue a commercial organization for the bugginess of their software package, but make sure you read the fine print on the EULA (End User License Agreement) which dissolves all liability from the vendor and places blame for nearly everything back to the user of the system.  If you bought it, implemented it, it's most than likely your fault.  If anyone has any evidence of this being otherwise (legal cases, press clippings or anything) I'd love to see it!

The one angle I will add to this on the open source front is that open source software rarely has a central support model (although this is not completely unlikely).  When you pull down an open-source package the general feeling (whether it's true or not is another topic of debate) is that you're on your own.  Sure there are forums, community bulletin boards, and sometimes entire companies set up to answer your questions - but those are either sparsely read, or pay-for which defeats the purpose of being "free".

Open source software does have plenty of accountability, if you look to the right packages though.  I can name several packages that have great accountability (Ubuntu anyone?) and responsiveness as well as community support.  The issue here is that you have to make the effort to look... which leads me to my final point.

So what's the real issue?

It turns out that the real issue isn't really Open Source vs. Commercial software at all... at least not really.  What this conversation really devolves into is, shockingly, cost.  The reason smaller business tend to go open source and end up being more risk-prone (read: vulnerable) all comes down to the cost of doing business. 

Small business look for ways to cut corners any way they can to stay competitive and stay ahead of their competition.  This, after all, is the true spirit of small business.  Delivering customer value at a lesser price, with a "small business" feel is what attracts many customers in the first place.  These types of Small to Medium sized Businesses (SMBs) are rarely found spending $100,000.00 on a commercial software package, plus support when the payback (ROI) is either >3 years or maybe never.

Ultimately, the issue is cost.  SMBs tend to download and set up what ever is cheapest, that will still get the job done in some valuable way.  If an open source package does the job, and is easy to deploy - but has a ton of security bugs - they'll deploy it.  Why you ask?  Because odds are they won't ever know about the security bugs...

SMBs rarely spend the cash to investigate the risk they're bringing on board their business when they adopt new software, because that costs money.  Further, a typical SMB won't have domain expertise in security, much less advanced software security assurance or security testing.  Even if they hire a consulting firm to implement the software and there happens to be  line-item for security somewhere... which is rare... it's a virtual guarantee that that software isn't properly vetted or patched.

If an SMB finds a package that suits their needs, without having to spend a lot of money you can bet that package will get deployed no questions asked.  What the security ramifications are ...only the patients may one day find out the negative impacts of that decision.

So what's the solution?

We've even had a few conversations around the solution... whether it makes sense to have a PCI-DSS -style requirement for medical practices.  Maybe the answer is yes, as much as we in the security community are opposed to this idea generally on principle.  Will it raise the bar on security, or simply add more red tape?  Do you believe compliance makes the world safer (less risky) by raising the bar or simply gives the lawyers work?

I think we need to educate, educate, educate.  Educate SMBs on the dangers of the lapses in security.  This can only be done by regulation, unfortunately.  Once we educate, we can then audit against regulations to make sure there is at least a baseline out there.  If every SMB took at least minimal steps to investigate the software they're deploying "for free" - they would probably realize that free isn't really free... and there's a cost of doing business which must be addressed now - or the customer [or patient] ultimately pays later.

Cross-posted from Follow the White Rabbit

Possibly Related Articles:
Viruses & Malware
Software Open Source Security Strategies Small Business Vendor Management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.