Open source vs closed source: opinions from a virus analyst

Kaspersky Lab's David Emm weighs in on open source security
David Emm, Kaspersky Lab senior regional researcher, Global Research & Analytics Team.

David Emm, Kaspersky Lab senior regional researcher, Global Research & Analytics Team.

Open source security is a hot topic in the IT world. Some people believe that open source solutions are a potential playground for mischief-makers and cyber criminals, while others swear they’re safer than proprietary software. During a Kaspersky Lab press tour to Croatia, PC World Australia caught up with David Emm, a senior regional researcher in the Kaspersky Lab Global Research and Analytics Team. Here’s what he had to say about open source security.

PCW: Are open-source applications more or less secure than their closed-source counterparts?

David Emm: There are two ways of looking at it. With open source, more people can get their eyes on code. At first appearances, the immediate thought is that if the bad guys can see the code they can prod it and poke it, which perhaps makes it more vulnerable. On the other hand, it can also work the other way. The open source model is laid out for everybody to contribute to — it’s not just bad guys looking at the code and seeing where there may be vulnerabilities; good guys do too. So I don’t actually think there’s much to call between one and the other.

PCW: So who does open source aid more — good guys or bad guys?

David Emm: Any solution, particularly in regards to security, has to be well coded and updated regularly right from the word go — so it all depends on the individual application. When Windows Vista was developed, security was one of the key features that Microsoft factored into it. I think this has to be just as true of any solution in the open field. Basically, if somebody can find a security loophole, they will exploit it.

PCW: What are some of the chief security pitfalls for open source users?

David Emm: Whatever system you’re running, the key is still the same: you need to protect it. This involves Internet security products, firewall products, vulnerability-scanning and so on. But it also means patching. With open source mechanisms, this may require you to be more proactive as they don’t always have automatic updates. So, if I’m running OpenOffice, I’ve got to ensure any available patches are in place myself. As a consumer, the onus is on you to take the appropriate steps — don’t rely on whatever application you're running to update security by itself.

PCW: In your experience, how does open source security software shape up compared to commercial products, like those from Kaspersky Lab?

David Emm: With commercial solutions, there has to be a built-in support network for everything — all the way down to installation. This is a pretty key — it’s the difference between providing a spade for the gardening and providing a gardening service. We provide the support infrastructure which may not be there [with open source applications]. We have a full-on customer service team and that’s pretty much what they do 24/7. With a non-commercial product, it’s difficult to see how they could provide this same level of support. I think this is the main differentiator.

PCW: Generally, do you think open source users are more security conscious?

David Emm: I think in most cases they’re more security conscious. For instance, if you think of people who go for Firefox over IE, a chunk of them would have made that decision because they’ve read or heard about vulnerabilities for Internet Explorer. They’re perhaps better informed that the bad guys target commonly used systems, which makes Firefox potentially safer. Ironically, it’s now a bigger target for vulnerability attacks than when it first launched, because a lot more people are using it. I think a lot of closed source users assume they’re safe because the code is hidden — they’ll play poker because nobody can see their hand. But I think these people are playing a dangerous game. Obviously, just because an application is closed source doesn’t mean it won’t have vulnerabilities.

PCW: Where do you see IT security going in the future?

David Emm: I think one of the biggest challenges is going to come with cloud computing. One of the main drivers of cloud computing is cost, with less attention paid to security. One of the dangers is that if companies begin to outsource applications and security measures, they will lose direct control of their customer’s data — the applications that manipulate the data are all off-site. We need to find ways in which everyone can feel comfortable about how secure the data in the cloud is. What worries me is that security doesn’t always get looked at right up front.

PCW: But surely people will demand higher security measures from cloud computing services? After all, if the data isn’t on your personal hard drive, there’s more to be paranoid about.

David Emm: You may be right. But if you look at the whole Web 2.0 thing, people are not necessarily thinking security — they’re thinking convenience. They want a two-way relationship, where they don’t just get fed but also contribute to the meal. They may think the convenience of having information in the cloud is great, but they won’t necessarily think about what the security implications could be. On a consumer level, many people simply aren’t aware of the potential risks — they don’t have the knowledge. And on a corporate level where cost is a driver, it may only be a priority after something bad has happened. In all areas of society, we tend to get bitten by something before we become aware of the potential threat.

Chris Jager flew to Croatia as a guest of Kaspersky Lab.

Follow PC World Australia on Twitter: @PCWorldAu