Managing Network Security

Is Open Source More or Less Secure?

by Fred Cohen

Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


Now that you know the conclusion of this month's article - that open source is not, more or less, secure, you might want to know that closed source software is also not, more or less, secure, Most software today is really far less secure than those of us who want effective protection would have it. That goes for open and closed source. But the question of which we should use under what circumstances remains an issue that we should address for our organizations and ourselves.

By way of full disclosure, I should note that I both buy and sell closed, slightly open (open to customers only), and open source software. So I obviously think that each is a viable approach depending on the specifics of the situation. The question then remains of how the balance of factors influences decisions in this regard.


First and foremost, in comparing open source to closed source, we need some basis for comparison. Since there are no applicable security metrics suited to this question, at least as far as I am aware, we probably need to create some if we are to have a basis for a meaningful comparison.

In order to create such metrics we probably need to start with some notion of the parameter space. And here we run into further problems because those in the 'debate' each seem to select their parameters to meet their desire to won the debate rather than to help us make better decisions. Naturally nobody will fund a 'neutral' study in this regard and whoever did fund it would be scrutinized for it and the results would be scrutinized based on the funding source. Since nobody in this industry is beyond reproach (present company excepted) I thought I might start down this road in this article because I was not funded to do it and because Network Security Management's level of payment for these articles wouldn't influence a starving man to eat a slice of bread. (Editors - please note the not-too-subtle hint at a pay raise).

Of course you get what you pay for, so this is not the result of some extensive study or deep analysis. If you want to fund me to take up your side, I am generally available at my normal fees, but be warned, my contracts stipulate that if you don't like the results, it's tough luck for you - and in this case I would want payment in advance.


The basic positions of the two sides in this debate come down to:

In my usual fashion, I will now rip into these positions one at a time. Don't count on any of them still standing at the end.


How do I decide?

That's easy. I only use closed source when it is easier or more cost effective for me (easy being a dominant cost factor for most software in my case). I only choose open source when it is easier or more cost effective for me as well. All things otherwise being equal, I will choose open source on the off chance that I would one day decide it was worth looking at the code for some reason or another.

Do I buy Microsoft products? Sure - when there is something that I can only do under Windows. Would I rather use open source? Sure - I use Star office except when I absolutely must use word because of an intentional incompatibility they created, but nothing touches Microsoft Project for the cost today.

Do I sell Microsoft? No way. All of my products start with open source and augment them (added value I guess I should call it) with open or closed source as appropriate. I too like to protect my investment of time and effort by keeping some of my source code proprietary. Can someone malicious decode it? Sure, but I want to make it harder.


Well, now I've done it again. I've wasted another 24 column inches and 15 minutes of your valuable space and time while offending everyone on all sides of this issue. When will I learn? Probably the same day that the open source and closed source folks agree on their positions. We will all be long dead by then.

Is there a conclusion to be drawn? Sure. Open and closed source each have their places and you need to put them and keep them in their places.

My method of deciding on open vs. closed source is ad hoc and perhaps unworkable for a major corporation such as yours, but I am sure that you will be able to find your own way to go about it - now that you have the facts to dispell the rumors and get down to cases.

About The Author:

Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and educating cyber defenders over-the-Internet as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at or visiting