The OpenSource vs' Proprietary Software Security Debate

1
The Open-Source vs. Proprietary Software Security
Debate

• Representing proprietary software Roberta
  Bragg, Windows 2000 consultant, columnist and
  speaker. Also the author of ISA Training
  Guide, MCSE Windows 2000 Network Security
  Design, and Windows 2000 Security.
• Representing open source Ryan Bloom, member
  of the Apache Software Foundation and
  consultant for TechLink Systems. Also the
  author of Apache Server 2.0 The Complete
  Reference.

2
Proprietary Software Security

• Roberta Bragg, MCSE, CISSP, MCT, MCP is a
  well-known Windows security consultant, columnist
  and speaker. She is the author of a number of
  highly regarded Win2000 security books and writes
  MCP Magazine's popular Security Advisor column.
  As founder of Have Computer Will Travel, she
  consults on security, operating systems, and
  databases. Her publishing credits include ISA
  Training Guide, MCSE Windows 2000 Network
  Security Design and Windows 2000 Security.

3
Myths About Open Source vs. Proprietary Program
4
Thousands of Eyeballs

• Will find all the bugs, right?

5
The Taint of Money

• The open-source programmer is an angel, who is
  passionate about his code while those who get
  paid to write code are not.

6
Proprietary Source Code Cant Be Examined by a
Third Party

• What awful mistakes are they hiding?

7
Proprietary Source Code Programmers are Isolated
and Work from Antiquated Texts

• (Open-source code programmers all know the latest
  coding techniques and are somehow more involved
  with the programming community.)

8
It will take longer to discover security flaws in
proprietary source code
9
Open-Source Security

• Ryan Bloom is a key contributor to the
  open-source community and a consultant with
  TechLink Systems. A member of the Apache Software
  Foundation since 1999, Bloom plays a leading role
  in the development of Apache 2.0, the next
  generation of Apache Web server technology. In
  addition to his work with Apache 2.0 and TechLink
  Systems, Bloom is also a regular speaker on
  Apache and open-source issues at such events as
  the O'Reilly Open-source Forum and ApacheCon. He
  is the author of the recently released, "Apache
  Server 2.0 The Complete Reference."

10
The Regular Quotes

• You wouldnt buy a car with its hood welded
  shut
• Given enough eyeballs, all bugs are shallow
  Eric Raymond

11
Bugs/Security

• Bugs happen in all code.
• Bugs are no more common in open source or
  proprietary code
• Bugs are much easier to fix in open-source code
• Open-source code is almost always easier to
  understand, and thus fix
• Open-source code is designed to be picked up
  quickly. Proprietary code rarely is.

12
Security/Bug Fix Releases

• There is more to consider than just how often
  bugs/security holes are found
• How critical is the hole?
• How quickly is a patch available?
• Often open source projects are patched in days.
• This means that the user is often also the QA
  engineer
• Proprietary projects usually take much longer

13
Moderator QA

• Please continue to submit your questions to
  Roberta and Ryan. They will begin answering them
  following this portion of the event.

14
Audience QA

• Submit your specific questions to Roberta and
  Ryan now. You can do so by clicking the Ask a
  Question button in the lower left part of your
  screen. Roberta and Ryan will be answering YOUR
  questions from now till the end of the hour.

15
Feedback

• Did you enjoy this event? Would you like to see
  us host other events like this? If so, send your
  suggestions and comments to editor_at_searchSolaris.c
  om.