Open source vs closed source: opinions from a virus analyst

Kaspersky Lab's David Emm weighs in on open source security

David Emm, Kaspersky Lab senior regional researcher, Global Research & Analytics Team.

David Emm, Kaspersky Lab senior regional researcher, Global Research & Analytics Team.

Open source security is a hot topic in the IT world. Some people believe that open source solutions are a potential playground for mischief-makers and cyber criminals, while others swear they’re safer than proprietary software. During a Kaspersky Lab press tour to Croatia, PC World Australia caught up with David Emm, a senior regional researcher in the Kaspersky Lab Global Research and Analytics Team. Here’s what he had to say about open source security.

PCW: Are open-source applications more or less secure than their closed-source counterparts?

David Emm: There are two ways of looking at it. With open source, more people can get their eyes on code. At first appearances, the immediate thought is that if the bad guys can see the code they can prod it and poke it, which perhaps makes it more vulnerable. On the other hand, it can also work the other way. The open source model is laid out for everybody to contribute to — it’s not just bad guys looking at the code and seeing where there may be vulnerabilities; good guys do too. So I don’t actually think there’s much to call between one and the other.

PCW: So who does open source aid more — good guys or bad guys?

David Emm: Any solution, particularly in regards to security, has to be well coded and updated regularly right from the word go — so it all depends on the individual application. When Windows Vista was developed, security was one of the key features that Microsoft factored into it. I think this has to be just as true of any solution in the open field. Basically, if somebody can find a security loophole, they will exploit it.

PCW: What are some of the chief security pitfalls for open source users?

David Emm: Whatever system you’re running, the key is still the same: you need to protect it. This involves Internet security products, firewall products, vulnerability-scanning and so on. But it also means patching. With open source mechanisms, this may require you to be more proactive as they don’t always have automatic updates. So, if I’m running OpenOffice, I’ve got to ensure any available patches are in place myself. As a consumer, the onus is on you to take the appropriate steps — don’t rely on whatever application you're running to update security by itself.

PCW: In your experience, how does open source security software shape up compared to commercial products, like those from Kaspersky Lab?

David Emm: With commercial solutions, there has to be a built-in support network for everything — all the way down to installation. This is a pretty key — it’s the difference between providing a spade for the gardening and providing a gardening service. We provide the support infrastructure which may not be there [with open source applications]. We have a full-on customer service team and that’s pretty much what they do 24/7. With a non-commercial product, it’s difficult to see how they could provide this same level of support. I think this is the main differentiator.

PCW: Generally, do you think open source users are more security conscious?

David Emm: I think in most cases they’re more security conscious. For instance, if you think of people who go for Firefox over IE, a chunk of them would have made that decision because they’ve read or heard about vulnerabilities for Internet Explorer. They’re perhaps better informed that the bad guys target commonly used systems, which makes Firefox potentially safer. Ironically, it’s now a bigger target for vulnerability attacks than when it first launched, because a lot more people are using it. I think a lot of closed source users assume they’re safe because the code is hidden — they’ll play poker because nobody can see their hand. But I think these people are playing a dangerous game. Obviously, just because an application is closed source doesn’t mean it won’t have vulnerabilities.

PCW: Where do you see IT security going in the future?

David Emm: I think one of the biggest challenges is going to come with cloud computing. One of the main drivers of cloud computing is cost, with less attention paid to security. One of the dangers is that if companies begin to outsource applications and security measures, they will lose direct control of their customer’s data — the applications that manipulate the data are all off-site. We need to find ways in which everyone can feel comfortable about how secure the data in the cloud is. What worries me is that security doesn’t always get looked at right up front.

PCW: But surely people will demand higher security measures from cloud computing services? After all, if the data isn’t on your personal hard drive, there’s more to be paranoid about.

David Emm: You may be right. But if you look at the whole Web 2.0 thing, people are not necessarily thinking security — they’re thinking convenience. They want a two-way relationship, where they don’t just get fed but also contribute to the meal. They may think the convenience of having information in the cloud is great, but they won’t necessarily think about what the security implications could be. On a consumer level, many people simply aren’t aware of the potential risks — they don’t have the knowledge. And on a corporate level where cost is a driver, it may only be a priority after something bad has happened. In all areas of society, we tend to get bitten by something before we become aware of the potential threat.

Chris Jager flew to Croatia as a guest of Kaspersky Lab.

Follow PC World Australia on Twitter: @PCWorldAu

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags kasperskykaspersky lab

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Chris Jager

PC World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?