Open Source Versus Closed Source Software
“A cryptographic system should still be secure, if everything known about it except its key. You should not base security of your system upon its obscurity”- Auguste Kerckhoffs (1883).
Ausguste Kerckhoffs was a Flemish cryptographer and linguist who studied military communications during the Franco-Prussian War. He observed that neither side could depend upon hiding there telegraph lines and equipment from the other side because the enemy would find the hidden telegraph lines and tap into communications. One could not trust upon their system being obscure. In 1948, Claude Shannon of Bell Labs extended Kerckhoffs Law when he said, “Always assume that the enemy knows your system.” Crytopgraphers and military colleges teach Kerckhoff’s and Shannon’s laws as fundamental rules in information security.
How does this apply to computer security? There are a few basics that we should understand: programmers write their codes in human decipherable binary object code (i.e., zeros and ones), and very few people can read binary code. For revenue developers do not release their source code when they sell software, they only release the binary object code. This closed source code is their proprietary “crown-jewels”, to be carefully guarded. In contrast, open source, software is not for profit at all, the source code is provided along with the binary object code so other developers can read and add, write new features or find and fix bugs.
So, does this mean that closed source is safer than open source because no one can see any bugs or security holes that might be hidden in the source code? No. With closed source, there is temptation to use “security via obscurity.” The history of security holes is that they become well known because there may be literally hundreds of people with access to the source code and some of these people come and go. Some take the code with them and some share with others, who post it on the internet.
Then there are the decompilers. Decompilers are software that converts binary object code back into source code. Decompilers do not produce exact copies of the original source, but they are getting better and better every day. With their use, attackers can better guess where the security holes are.
There is also inclination within the closed source community to rely upon the source code being hidden as a line of defense. In effect, they drop their guard, falsely thinking that they are safe, when in reality they become more vulnerable. The open source community has far more people able to examine the code than any closed source system. One of the beliefs of the open source community “No bug is too obscure or difficult for a million eyes.”
Also, developers’ motives are different. Open source coders generally do not write for profit. Closed source developers are inevitably writing for profit. With the profit motive comes more pressure to release software quickly to “beat the market.” Rushing code to market is one of the surest ways of releasing defective code and then we have tons of patches and releases to download every month. This type of pressure doesn’t exist in the open source world since there is not profit involved.
Can there be secure closed source software? Yes of course. But the developers must be committed to security from the very beginning on development stages. By most reasonable measures, open source can be considered, and will continue to be more secure than closed source software. This is what Auguste Kerckoffs would have predicted.
Open source continues the march to world code domination. Click here for the best top open source applications according to Bossie Awards 2011.