Security Comparisons of Open Source and Closed Source Programs Katherine Wright.

Slides:



Advertisements
Similar presentations
OPEN SOURCE AND OPEN WEB Janani L Alagu Alagappan.
Advertisements

Introduction to Linux Video task 1. Five reasons to use Linux Data security Price Reliability It is modified for the needs of a user It is easy to use.
What is GNU/Linux (Not Linux!)? David Sudjiman davidsudjiman (at) yahoo (dot) com The latest version of this document can.
Software Configuration Management Donna Albino LIS489, December 3, 2014.
Copyleft and cathedrals How the counterculture is changing the way we do business.
Linux vs. Windows. Linux  Linux was originally built by Linus Torvalds at the University of Helsinki in  Linux is a Unix-like, Kernal-based, fully.
Open Source. Operating System  Application Program Interface (API) Scheduling: Defines which application to run, when to run it, and how much time. Memory.
Windows vs.. Linux Security A comparison A comparison.
Open Source Business Models By Mike Telmar, Jacob Jennings, and Jerome Thomas.
Introduction to Linux Chapter 1. Operating Systems Operating System (OS) - most basic and important software on a computer Performs core tasks Organize.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
How Is Open Source Affecting Software Development? Je-Loon Yang.
Open-Source Software ISYS 475.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Open Access Publishing And Open Source Software. Open Access Publishing Peer-reviewed journal literature available on the internet at no charge Users.
Linux Introduction. Overview What is Unix/Linux? History of Linux Features Supported Under Linux The future of Linux.
 Advantages  Easy to learn  Graphical Advantages  Help and Support  Widely used  Software compatibility  Customisable  Customisable Hardware 
Desktop Security: Worms and Viruses Brian Arkills, C&C NDC-Sysmgt.
CHAPTER 6 OPEN SOURCE SOFTWARE AND FREE SOFTWARE
Group Members: Jack Boyce, Niall O'Donnell, Dovile Kupsyte, Elihu Essien-Thompson, Alex Synica Group Name :J.A.D.E.N OS User interface Memory management.
Linux Basics CS 302. Outline  What is Unix?  What is Linux?  Virtual Machine.
Open Source Software Development. Overview  OSS  OSSD  OSSD vs PSD  Future.
Is Open Source Software a viable option for private and public organizations? Anthony W. Hamann Tuesday, March 21, 2006.
Licenses A Legal Necessity Copyright © 2015 – Curt Hill.
Computers and Society Examine the extent to which Richard Stallman’s GNU manifesto has succeeded in challenging the dominance of conventionally distributed.
Open Source Software An Introduction. The Creation of Software l As you know, programmers create the software that we use l What you may not understand.
Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.
Introduction to Version Control
Presented By: Avijit Gupta V. SaiSantosh.
A Comparison of Linux vs. Windows Bhargav A. Sorathiya B.E. 4 th C.E. Roll no:6456.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
OPEN SOURCE AND FREE SOFTWARE. What is open source software? What is free software? What is the difference between the two? How the two differs from shareware?
1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Using Internet Explorer 7.0 to Access Cisco Unity 5.0(1) Web Interfaces Unity 5.0(1)
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
CPS 82, Fall Open Source, Copyright, Copyleft.
OPEN SOURCE (SOFTWARE SAVIOR) Justin Hanson, Dec. 3, 2008.
LIS508 background of GNU/Linux
Open Source Software Architecture and Design By John Rouda.
Legitimate Vulnerability Markets By: Jeff Wheeler.
Open Source Software Alternatives: Wave of the Future? CS 99 2/8/2005 CS 99 2/8/2005.
CSNB334 Advanced Operating Systems 1. Introduction to Linux Lecturer: Abdul Rahim Ahmad.
Proprietary vs. Free/Open Source Software
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Open Source Programming and OpenOffice.org Jeff Koehler ITEC V1FF April 5, 2007.
Trusted Operating Systems
Made By: Micheal Mouner Linux VS Windows. Agenda.
Introduction to UNIX CS465. What is UNIX? (1) UNIX is an Operating System (OS). An operating system is a control program that allocates the computer's.
Open Source Software. Chris Moylan Group 5...I think.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Antonio Hansford ITEC 400 Berkeley Software Design April 14, 2016.
CompTIA Security+ Question Answer SY Detaille of CompTIA SY0-401 Pass4sure.. VENDOR COMPTIA EXAM NAME COMPTIA SECURITY+ EXAM CODE SY0-401 TOTAL.
Free Software - Introduction to free software and the GPL Copyright © 2007 Marcus Rejås Free Software Foundation Europe I hereby grant everyone the right.
Introduction to Fedora David Nalley September 10, 2008 version 0.2.
GNU and Linux.
Unix Server Consolidation
Software Requirements
What is F/LOSS? By Scot Henderson.
Open Source Software Development
OPEN SOURCE.
Selected topic in computer science (1)
Choosing Technologies
Determined Human Adversaries: Mitigations
Design and Programming
Figure 6-4: Installation and Patching
CSC-682 Advanced Computer Security
Determined Human Adversaries: Mitigations
NSA Security-Enhanced Linux (SELinux)
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Firmware security integrity checking Andrea Battaglia, Aspisec IT
Presentation transcript:

Security Comparisons of Open Source and Closed Source Programs Katherine Wright

Introduction What is open source Why is open source potentially more secure Why is closed source potentially more secure Payne's studies Ransbotham's studies

What is an open source program? A development methodology in which the source code is available to anyone to read and modify, from the inception of the project through its lifecycle Also includes licensing the work so that it can be used in other projects and so that derivative works can be created

Open Source and Free Software Open source – works should be made available to the public Free software – “The word "free" in our name does not refer to price; it refers to freedom. First, the freedom to copy a program and redistribute it to your neighbors, so that they can use it as well as you. Second, the freedom to change a program, so that you can control it instead of it controlling you; for this, the source code must be made available to you.” Richard Stallman Free as in beer (“gratis”) vs free as in speech (“libre”)

Why Open Source: Peer Review Largest stated reason for open source If everyone can see source code, no one can sneak in Backdoors Trojans Use peer review process to guarantee security and stability of algorithms

Peer Review Users submit bug reports Sometimes patch bugs Have the ability to verify security of algorithms and code

Why Open Source: Version Control Large open source projects usually have good version control Ability to roll back easily if malicious changes made Linux-like projects: Can only submit patches, which are verified

Why Open Source: In- house modifications Security critical entities can more easily verify that software is not malicious Less secure software can be modified to meet security needs If vulnerability is discovered, patches can be rolled out without waiting on a central entity

SE Linux Developed by NSA and others, released in 2003 Can be applied to UNIX-like kernels (Linux, BSD among others) Implements MAC Ability to provide a more secure OS, without requiring development

Why Closed Source: Security through Obscurity Security through obscurity – If nobody knows that a vulnerability exists, they won't take advantage of it. Probably. Source code – easy to read, well-commented Binaries – require reverse engineering, cryptic Defenders vs Attackers Ransbotham study indicates shorter turn- around on exploits for open source projects

Why Open Source: Security through Obscurity fails Can't rely on vulnerabilities to remain hidden Attackers can exploit development servers, fuzz input, reverse engineer binaries, etc. Security through obscurity not enough on its own. Somebody will find out.

Why Closed Source: Few reviewers Average open source project, likely not reviewed, likely not secure Even well-maintained projects often adopted before thorough review But can give false sense of security

Why Closed Source: Amateurs vs Professionals May be many eyes, but how many qualified Open source projects often free, not-for-profit Hard to attract talented individuals Microsoft, IBM, large corporations can have dedicated security teams

Why Closed Source: Open Source Amateurs Most open source projects need programmers No quality control on contributors Don't necessarily know how to protect against common vulnerabilities

Why Closed Source: Patching When patches released, user must be notified, download new version Derivative works must be patched Can have significant delay Closed source tends to have better patch pushing methods/fewer derivative works

Why Closed Source: Certification Software packages must be certified by the federal government before can be used No open source packages have passed (Maybe SELinux?)

Payne Study Done in 1999 Examined Solaris, Debian GNU/Linux and OpenBSD Compared CIA vulnerabilities and features

Payne Study cont DebianSolarisOpenBSD Features Average Vulnerabilities Average Unscaled Score−1.30− Scaling Factor Final Score−1.0−

Ransbotham Study Analyzed real vulnerability and exploit report data for closed source and open source programs Uses a lot of arcane statistics Statistics indicate that open source projects more likely to be exploited, and exploits happen earlier

Ransbotham Study cont Open source projects – 3,369 (26%), Closed source – 3,121 (23%), Unknown – 6,611 (51%) Open Source Closed Source Variable Value Count Percentage Count Percentage Exploited No % % Yes % % Complexity Low % % Medium % % High % %

Conclusions/Questions UDx7iEJw

Bibliography Hoepman, Jaap-Henk and Bart Jacobs. (2007), Communications of the ACM, 50: open-source/fulltext Payne, C. (2002), On the security of open source software. Information Systems Journal, 12: 61–78. doi: /j x Ransbotham, Sam. (2010), An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software. Wheeler, David. Is Open Source Good for Security? source-security.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.