[SCADASEC] Fw: Re: Why open source software is more secure

Bob Radvanovsky rsradvan at unixworks.net
Thu May 8 13:02:15 CDT 2008 

More commentary about reasons/justifications for utilizing 'open source' software.  Again, this argument bears some merit.  For example, as a C-level executive, I don't care about safety issues, unless it's a regulatory requirement; rather, I care about cost.  As an argument of safety and security comes down to asking the question 'how much will it cost me?'  Because of this important question, C-level executives are beginning to warm up to 'open source' software.  Why?  To them, it *appears* cheaper, and to some, it really has saved them budget costs and expenses.

I realize that SCADA and control systems are 'strange ducks' -- granted.  But, I think that the discussions I've read and heard about considering 'open source' are valid points.  Fact is, it is merely a myth that 'open source' is more secure.  What is fact is that exploits and vulnerabilities can be patched (usually) more quickly because of an 'open community' approach (two heads are better than one, etc.).  Therein lies the cost-savings justification for utilizing 'open source' as a viable option.

Something to think about, folks...

-rad

P.S.  Again, I want to re-emphasize that I am *NOT* promulgating propaganda about using 'open source', but merely to provide another perspective and open everyone's eyes on this topic.  And...before some of you state that this isn't security-related or SCADA-related, think again.  At some point, your company *might* consider utilizing 'open source' software for your environments, again because of the appeared cost-savings benefits.  Security costs are an issue, esp. with most utility providers (water, gas, electric, etc.); therefore, if a utility company hasn't really thought about cutting costs by switching, I would be very surprised.

P.P.S.  "You may fire when ready, Gridley."
                - Commodore Dewey, "A Splendid Littl' War"

----- Original Message -----
From: Chad Perrin [mailto:perrin at apotheon.com]
To: security-basics at securityfocus.com
Subject: Re: Why open source software is more secure


> On Thu, May 08, 2008 at 08:14:17AM -0700, Ali, Saqib wrote:
> > On Thu, May 8, 2008 at 1:41 AM, sapran <sapran at gmail.com> wrote:
> > > The main goal of a software vendor is not to bring you a _good_ product,
> but to sell it you.
> > 
> > As much as I like opensource, I have to say what you stated above is
> > incorrect. There is a disconnect. The software vendor's goal is to
> > sell software (like any other business), but to do that it has to
> > build a reputation. And it can not build a good reputation by
> > consistently producing bad (insecure) software.
> 
> More specifically:
> 
> The software vendor's goal is to sell software.  To do so, it must create
> an impression of value in the minds of the targeted customer base.  There
> are a number of ways to do this, and any successful vendor will probably
> make use of two or three at least.  There are of course certain areas of
> perceived value for which it is critically important to avoid appearing
> to have *zero* value, and one of them is security.
> 
> Some of the most successful software vendors in the world go no further
> than giving an impression that their software can be made "secure enough"
> for most purposes by the customer, regardless of how secure it is
> perceived to be by default.  This shows just how unimportant most people
> view the matter of security -- they figure that something that isn't
> really secure by default, but can be made "secure enough" for some
> minimal value of $enough, is all that's needed in that respect.  This is
> why, for instance, the single most popular desktop operating system in
> the world is one whose vendor utterly fails to provide proper support for
> security patching when it comes to mobile replicating malware:
> 
>   http://blogs.techrepublic.com.com/security/?p=286
> 
> The benefits of open source software are twofold, really, with a
> sub-benefit to one of those two main benefits, when it comes to security:
> 
>   1. The primary goal of commercial software vendors is to sell software.
>   While the high quality of the software is a potential factor in making
>   the software more easily sold to the masses, it is not the only factor,
>   and there are other factors that directly compete with quality for the
>   vendor's investment.  As such, there's usually a (non-specific)
>   practical upper limit to how good the software can be.  With open
>   source software, on the other hand, the individually interested
>   developers (as opposed to those who get involved solely at the behest
>   of commercial entities that want to sell open source software) are
>   primarily focused on making the software as good as it can be.  Reasons
>   for that include using the quality of the software as personal
>   reputation builder and, more importantly, wanting the software to be as
>   good as possible because the developers themselves typically use it --
>   the main reason many of them got into developing it in the first place.
> 
>   2. Primarily, the "many eyes" principle of security comes into play in
>   the development of open source software, ensuring the improvement of
>   its security characteristics over time.  Secondarily, something related
>   to Kerckhoffs' Principle comes into play, "forcing" the developers of
>   open source software to work toward software whose security
>   characteristics are not dependent on fallacious security concepts like
>   "security through obscurity".  A couple of relevant links:
> 
>       Kerckhoffs' Principle --
>         http://en.wikipedia.org/wiki/Kerckhoffs'_principle
>       
>       Security Through Visibility -- 
>         http://articles.techrepublic.com.com/5100-10878_11-6064734.html
> 
> The long and the short of it is that commercial software vendors, in
> general, are neither significantly motivated to produce secure, high
> quality software, nor entirely unmotivated to produce secure, high
> quality software.  Their actual motivations lie somewhere between the two
> extremes, and that level of motivation can vary wildly between those
> extremes.  The benefit to open source software is not that its developers
> are motivated to create secure, high quality software while commercial
> software vendors' developers are not, but that open source software
> developers tend strongly to have a more inherent motivation toward
> developing secure, high quality software.  This is largely because for
> open source software developers, secure, high quality software is an end
> in itself, while for commercial software vendors, secure, high quality
> software is just one means of many toward an indirectly related end.
> 
> It's all a matter of tendencies, though, and not of absolute truths.
> 
> There is one other very important factor, though.  With closed source
> software, there is also something of an implicit motivation to violate
> the security of the end user -- because the obscurity of the system's
> inner workings lends itself to a sense that the vendor can "get away
> with" something that can, if the vendor is clever enough, be used as
> leverage toward greater market share.
> 
> -- 
> CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
> Rudy Giuliani: "You have free speech so I can be heard."
> 
> 
-------------- next part --------------
On Thu, May 08, 2008 at 08:14:17AM -0700, Ali, Saqib wrote:
> On Thu, May 8, 2008 at 1:41 AM, sapran <sapran at gmail.com> wrote:
> > The main goal of a software vendor is not to bring you a _good_ product, but to sell it you.
> 
> As much as I like opensource, I have to say what you stated above is
> incorrect. There is a disconnect. The software vendor's goal is to
> sell software (like any other business), but to do that it has to
> build a reputation. And it can not build a good reputation by
> consistently producing bad (insecure) software.

More specifically:

The software vendor's goal is to sell software.  To do so, it must create
an impression of value in the minds of the targeted customer base.  There
are a number of ways to do this, and any successful vendor will probably
make use of two or three at least.  There are of course certain areas of
perceived value for which it is critically important to avoid appearing
to have *zero* value, and one of them is security.

Some of the most successful software vendors in the world go no further
than giving an impression that their software can be made "secure enough"
for most purposes by the customer, regardless of how secure it is
perceived to be by default.  This shows just how unimportant most people
view the matter of security -- they figure that something that isn't
really secure by default, but can be made "secure enough" for some
minimal value of $enough, is all that's needed in that respect.  This is
why, for instance, the single most popular desktop operating system in
the world is one whose vendor utterly fails to provide proper support for
security patching when it comes to mobile replicating malware:

  http://blogs.techrepublic.com.com/security/?p=286

The benefits of open source software are twofold, really, with a
sub-benefit to one of those two main benefits, when it comes to security:

  1. The primary goal of commercial software vendors is to sell software.
  While the high quality of the software is a potential factor in making
  the software more easily sold to the masses, it is not the only factor,
  and there are other factors that directly compete with quality for the
  vendor's investment.  As such, there's usually a (non-specific)
  practical upper limit to how good the software can be.  With open
  source software, on the other hand, the individually interested
  developers (as opposed to those who get involved solely at the behest
  of commercial entities that want to sell open source software) are
  primarily focused on making the software as good as it can be.  Reasons
  for that include using the quality of the software as personal
  reputation builder and, more importantly, wanting the software to be as
  good as possible because the developers themselves typically use it --
  the main reason many of them got into developing it in the first place.

  2. Primarily, the "many eyes" principle of security comes into play in
  the development of open source software, ensuring the improvement of
  its security characteristics over time.  Secondarily, something related
  to Kerckhoffs' Principle comes into play, "forcing" the developers of
  open source software to work toward software whose security
  characteristics are not dependent on fallacious security concepts like
  "security through obscurity".  A couple of relevant links:

      Kerckhoffs' Principle --
        http://en.wikipedia.org/wiki/Kerckhoffs'_principle
      
      Security Through Visibility -- 
        http://articles.techrepublic.com.com/5100-10878_11-6064734.html

The long and the short of it is that commercial software vendors, in
general, are neither significantly motivated to produce secure, high
quality software, nor entirely unmotivated to produce secure, high
quality software.  Their actual motivations lie somewhere between the two
extremes, and that level of motivation can vary wildly between those
extremes.  The benefit to open source software is not that its developers
are motivated to create secure, high quality software while commercial
software vendors' developers are not, but that open source software
developers tend strongly to have a more inherent motivation toward
developing secure, high quality software.  This is largely because for
open source software developers, secure, high quality software is an end
in itself, while for commercial software vendors, secure, high quality
software is just one means of many toward an indirectly related end.

It's all a matter of tendencies, though, and not of absolute truths.

There is one other very important factor, though.  With closed source
software, there is also something of an implicit motivation to violate
the security of the end user -- because the obscurity of the system's
inner workings lends itself to a sense that the vendor can "get away
with" something that can, if the vendor is clever enough, be used as
leverage toward greater market share.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Rudy Giuliani: "You have free speech so I can be heard."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: application
Type: application/pgp-signature
Size: 204 bytes
Desc: not available
Url : http://news.infracritical.com/pipermail/scadasec/attachments/20080508/d8623ff3/attachment.bin

More information about the scadasec mailing list