This article about Microsoft vs. Linux (link dead, sorry) is interesting in its own right, but a couple of paragraphs from Microsoft's position stand out for me:
Additionally, security vulnerabilities in open-source software, which often go unnoticed with the limited scenarios that actually deploy open-source software, also often remain unaddressed for long periods of time because there is no central organisation driving development. Evaluating open-source software for security is a complex proposition.
Open-source software is now a major source of security vulnerabilities. The Computer Emergency Response Team reported that open-source and Linux software accounted for 16 out of 29 security advisories for the first 10 months of 2002, whereas Microsoft accounted for seven of these 29 advisories.
That's the kind of argument you'd expect Microsoft to make, and the kind that worries me.
I would like to know why evaluating open source software for security is any more complex than evaluating Microsoft software. Certainly more eyes are available, and none of those eyes have to worry about political implications: I'm thinking of a case where fixing a security problem might cause expensive problems for other software. The open source folks wouldn't worry about that at all, but Microsoft certainly would, and might very well delay the fix because of it.
I'd also question the statistics for vulnerabilities. Again, a lot more eyes are looking for problems in open source code, and it's also a matter of record that Microsoft doesn't report problems until their hand is forced. So how valuable are these numbers?
Finally, what about the severity of the vulnerability? Many of these advisories are for obscure situations that may not even apply to commonly used software. On the other hand, Microsoft often gets sucker punched: just two days ago, for example, there are new Internet Explorer Vulnerabilities serious enough to do real damage.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2012-06-22 Tony Lawrence