Screaming Penguin - Source Does Matter

Jeremey Allison, co author of Samba sounds off for open source and Steve Lipner, Microsoft Security Response Center Manager sounds off for proprietary in the continuing debate over which is more secure (how bout that Microsoft guy, with a title like that he must be busy as hell, well, let me revise, he'd be busy if Microsoft did RESPOND to security issues, I guess after all its not that hard to just ignore it or say "known issue" all day.)

My Microsoft jabs aside (which are EARNED jabs by the way, I have had to employ and support many Microsoft products, my dissapointment and disgust are not just the bandwagon style, they are based on my experience) I have to say that while this is in an interesting article with interesting viewpoints on both sides, neither one of them is right.

I would have to say that Allison is more correct in my experience, but the key is that the entire implementation is what makes security, not some software product. Is RedHat Linux or Windows 2000 secure right "out of the box", hell no, neither one of them is close. But these are implementation issues. I have heard some folks claim that the "default" setup that a product ships with should be what the product is judged by (in particular some guy on Bugtraq wrote a paper picking on PHP because the default settings are exploitable if no care is taken when setting up or writing the application and that therefore made it insecure in general.) Thats flat out wrong. Products are shipped with as much functionality as possible going, thats exactly NOT what you want when you are trying to make something secure. Security, again, is a process and a result of the product and its implementation (as Allison does mention.)

The Microsoft claim that proprietary is more secure because of the rigorous quality testing that it goes through is ludicrous. I dont fault it just for being Microsoft alone but lets face reality, MS products are worse than Charlie Sheen guarding the Catholic Girls College (OK, lame joke, but you get the idea of the analogy.) Microsoft is notorious for the worst security flaws in the industry. In fact Microsft Security is somewhat of an oxymoron and the mere fact that a Microsoft manager would claim they are more secure in general is another insult to the intelligence of IT departments, managers and end users everywhere. I cant say unequivocably that open source is always better, but I can say that calling Microsoft better is WRONG. In general, if security is a concern or requirement, Microsoft is not the place to turn.

As to which model of development is better? I think that both parties make valid points. Allison says that open source is more concerned with quality and getting it right that deadlines, I agree. Lipner says that more facilities are available to proprietary developers and large companies to ensure quality. Lipner is right, more are available, but I would have to disagree with him that the result is better. I have worked for large companies and despite the resources available the deadlines, marketing and overall beaurocratic crap often get in the way of the substance (and it seems the bigger the project the more the focus blurs.) The main point is that it could be done RIGHT and SECURE either way, but neither is perfect. There is no black and white distinction, the rule remains, pick the right tool for the job and the right person(s) to implement and support the job, thats what makes a successful and secure software application or project.   ZDNet Which is more Secure? Open Source vs. Proprietary