Who Is Looking at The Code?

At a Microsoft hosted security event earlier this year, Ed Gibson the Chief Security Advisor to Microsoft UK asked a rhetorical question about open source software - "Who is looking at the code?"This question made the audience pause.

Open source software is any computer program where the underlying code is legally available for review. Frequently the code is available as a requirement of development such as for compatibility testing, sometimes the code is available so that third parties can be wowed by the code and just occasionally companies are forced into releasing code because they didn't read all of the terms and conditions when they should have done (see the Forbes article Linux's Hit Men).

An oft touted advantage of open source software is Linus' Law, that "given enough eyeballs, all bugs are shallow". Translated from tech-speak this means that with enough people looking at a piece of software any problems can be identified and corrected quickly. The point of Ed's question was that the majority of people using open source software are not capable of looking at the code. The advantage of open source has turned on itself - if a flaw existed in the program the users are not skilled enough to spot it but a more skilled attacker could be.

This stands in contrast to the approach that Microsoft use for the majority of their products, where they keep the code closed source - unavailable for general viewing. From a security perspective, the users are in the same position as with open source in that they cannot help identify the flaw but the attackers don't have detailed information that would let them exploit a flaw.

Ed's point does have merit, in that small open source projects without a broad enough base of support could easily host an enormous amount of security flaws. Even the largest open source developments with a correspondingly large quantity of eyes on the source code have been hit with extremely serious security problems.

Purely on security however, the problems with a closed source approach outweigh the advantages. Attackers wanting to break software are not constrained by the legal niceties of where the source code they are looking at came from. As the numerous leaks of personal information by the UK government has shown, if information is stored then it will be lost. Eventually, malicious groups will get their hands on the source code and at that point Microsoft should accept all the help they can get to find solutions.

A problem that impacts outside of Microsoft can be best illustrated by altering Ed's question: who is checking your engine? Many people are not good enough mechanics to be able to open a car up and make sure that there are not any problems, but they can take it to a garage and pay a specialist to do so. If access to the engine of their car was locked so that only the original manufacturer could look at it, then they would have to take the manufacturer's word that the car is fine. Similarly with software, any large company could pay a specialist to look through open source software and check for problems to give themselves piece of mind. This option is simply unavailable with closed source software as it generally prevents even the sub-par solution of source code escrow. This being the case, it seems almost negligent for business critical software to be closed source.

Will Microsoft change to open source? Not without an extremely good reason to. They have an excellent business reason for keeping their code closed source - releasing the code would give their competitors a huge advantage in developing alternatives to the products that Microsoft offer. Microsoft currently make the de facto standard for operating systems, document creation and many business applications. Going open source with their software would risk giving all this up for an uncertain future. The purpose of a company is not to have perfect security but to engage in business, with all the compromises that entails.

Update: 27/09/09
Jon Shalowitz offers a directly opposing view in his ZDnet interview about Nominium.

"[J]ust look at the facts over the past six months, at the number of vulnerabilities announced and the number of patches that had to made to Bind and freeware products. And Nominum has not had a single known vulnerability in its [closed source] software."