Open Source: The New Security Problem Child?

Move over Microsoft, there's a new security punching bag in town: open source software.


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

Posted November 27, 2002

Paul Desmond

Move over Microsoft, there's a new security punching bag in town: open source software.

Security consultants at Aberdeen Group examined security advisories published by the Carnegie Mellon University Computer Emergency Response Team (CERT) through October of this year. They found that nearly half of the advisories -- 16 of 29 -- affected open source software, including Linux products. Unix systems likewise were affected by 16 of the vulnerabilities for which CERT issued advisories, while only seven of them affected Microsoft products.

"Obviously, the label of poster child for security glitches moved from Microsoft to the shoulders of open source and Linux product suppliers during 2002," says the Aberdeen report, written by Jim Hurley and Eric Hemmendinger. "Also contrary to popular wisdom, Unix- and Linux-based systems are just as vulnerable to viruses, Trojan horses and worms" as are Microsoft systems.

The CERT Coordination Center is widely recognized as a center of security expertise, and many organizations rely on its notifications of security incidents and advisories. CERT/CC issues incident notes when it receives reports from organizations that are hit with a particular virus, worm or other threat. An advisory is issued to alert users to vulnerabilities in various systems that make those systems susceptible to security breaches.

Aberdeen's report says Microsoft's Trustworthy Computing initiative, launched in January of this year to address issues in the software development process that lead to security vulnerabilities, "appears to be working." The authors exhort open source and Linux software developers "to take similar measures."

They also sound an ominous note, pointing out that "the incorporation of open source software in routers, Web server software, firewalls, databases, Internet chat software and security software is turning most Internet-aware computing devices and applications into possible infectious carriers."

Acknowledging that such problems will take years to correct, the Aberdeen analysts encourage users to invest in tools and services that automate the process of discovering and repairing vulnerabilities.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.