Move over Microsoft, there’s a new security punching bag in town: open source software.
Security consultants at Aberdeen Group examined security advisories published by the Carnegie Mellon University Computer Emergency Response Team (CERT) through October of this year. They found that nearly half of the advisories — 16 of 29 — affected open source software, including Linux products. Unix systems likewise were affected by 16 of the vulnerabilities for which CERT issued advisories, while only seven of them affected Microsoft products.
“Obviously, the label of poster child for security glitches moved from Microsoft to the shoulders of open source and Linux product suppliers during 2002,” says the Aberdeen report, written by Jim Hurley and Eric Hemmendinger. “Also contrary to popular wisdom, Unix- and Linux-based systems are just as vulnerable to viruses, Trojan horses and worms” as are Microsoft systems.
The CERT Coordination Center is widely recognized as a center of security expertise, and many organizations rely on its notifications of security incidents and advisories. CERT/CC issues incident notes when it receives reports from organizations that are hit with a particular virus, worm or other threat. An advisory is issued to alert users to vulnerabilities in various systems that make those systems susceptible to security breaches.
Aberdeen’s report says Microsoft’s Trustworthy Computing initiative, launched in January of this year to address issues in the software development process that lead to security vulnerabilities, “appears to be working.” The authors exhort open source and Linux software developers “to take similar measures.”
They also sound an ominous note, pointing out that “the incorporation of open source software in routers, Web server software, firewalls, databases, Internet chat software and security software is turning most Internet-aware computing devices and applications into possible infectious carriers.”
Acknowledging that such problems will take years to correct, the Aberdeen analysts encourage users to invest in tools and services that automate the process of discovering and repairing vulnerabilities.