Back in the old days there was a lot of FUD about Linux and open source software security. This mostly came from proprietary software vendors afraid of competing with "free," led by Microsoft, which also added numerous total cost of ownership studies it had commissioned "proving" that free software was much costlier than paying for expensive proprietary licenses when hidden costs were figured into the mix.
These days, Microsoft has changed its tune and has become one of the largest distributors of Linux and other open source products on the planet (and one of the largest contributors of code upstream). It's also one of the largest developers of open source software worldwide and a major source of funding for the Linux Foundation.
Microsoft is not alone in this move from enemy to user to active contributor to open source projects.
"As Microsoft 'leans-in' to open source, they now freely service a huge amount of FOSS infrastructure on their own popular Azure cloud," said Tom Henderson, principal researcher at Indiana-based ExtremeLabs. "Amazon does. Oracle does. IBM does – and with Red Hat as an ally. The world has shifted, and agility means getting the job done cost-effectively and using the right tools."
So what are "the right tools?" According to Henderson, these usually include some kind of mix of Linux and the open source development model, along with open source project such as OpenStack, Kubernetes and the Istio service mesh. Yet, despite open source's prevalence in data centers, there are some who still believe that open source is somehow less secure than proprietary products. But, when it comes to open source vs. proprietary software security, is there really reason to believe that open source is less secure? Not according to Henderson.
"Some of the bad rep was lack of familiarity and vendor FUD," he said. "Open source is inherently more secure for the reason that patches, fixes and updates come immediately, and sometimes from competing sources. Time is of the essence in any bug or vulnerability, and vendor dependency can mean the difference between oops and fixed – in the shortest time."
Because human-readable source code is readily available as a condition of open source licensing, open source vendors are forced to react quickly to patch any and all security vulnerabilities once they are known. By comparison, back in the days when almost all software was proprietary, vendors often left difficult-to-exploit vulnerabilities unpatched for long periods of time if they were not known to the public, a practice that many assume continues.
"There is security through obscurity," Henderson said. "Closed source apps indeed hide a lot of behavioral mistakes. This said, let eyes look. So many great GitHub forks have occurred when people took the time to genuinely improve things, which doesn't find an opportunity in non-FOSS code."
The notion that both white hats and black hats have eyes on the source code has been a central component of open source security ever since open source pioneer Eric S. Raymond noted that "given enough eyeballs, all bugs are shallow," which he called "Linus' law" in honor of Linux creator Linus Torvalds.
The speed with which open source software security issues are typically fixed in open source projects was evident just last week. On November 10, 2020, GitHub security researcher Kevin Backhouse posted a blog entry, “How to get root on Ubuntu 20.04 by pretending nobody’s /home,” which outlined how he discovered – by accident a few weeks earlier on October 14 – that Canonical’s version of the Ubuntu Linux operating system had a bug granting admin rights to a non-privileged user. The Ubuntu Accounts Service issues were fixed by November 3.
This quick turnaround is not unusual for an open source project. However, proprietary software vendors like Microsoft often batch updates and patches for scheduled release dates. For example, Microsoft has a monthly “Patch Tuesday” on the second Tuesday of a calendar month; any security patch updates released outside that event are referred to as “out of band” updates.
Henderson pointed out that open source software security has also been improved because users now have a better understanding of the open source products they use, resulting in less "user error."
"People are much more familiar now with Linux controls and are used to configuring them deftly," he said. "In the olden days, many admins were honed on Windows administration and didn't know doodley about Unix/BSD/Linux and shot themselves in the foot. These days, controlling Linux security is a well-known set of profiles that can be replicated and tuned quickly."
This doesn't mean that open source software is uniformly safer simply because it’s not locked into a Patch Tuesday update model. Much like there are proprietary companies selling buggy and poorly maintained software, there are open source projects that are poorly funded and understaffed. Whenever making software choices, it's always good advice to "let the buyer beware."