In the discussion about the issue of IT security can be experienced again and again that free software is considered as a separate case. Often this security errors are wrongly attributed to the general concept of software freedom in free software. Unfortunately forfeit also the article “Open Source is a serious problem” in Handelsblatt in a similar paradigm. A letter to the Handelsblatt went unanswered. Therefore, I am pleased to be able to publish this letter as a commentary on netzpolitik.org. I hope the publication will help that there are fewer such misunderstandings in the future.
This is a guest post by Björn Schießle. Björn is deputy coordinator of the German team of the Free Software Foundation Europe.
I was surprised to read that the assessment, free software (also known as open source software) would be a serious problem for the represent security, simply and relies solely on the statements of the Chief Security Officer of SAP. A company that has drawn attention to itself not just through its expertise in free software in recent years. Therefore, it does not surprise me that starting from basically correct findings rashly wrong conclusions.
Let me illustrate this with an example. The statement that the development of free software is faster and cheaper, is certainly true. From an economic point of view is the one of the great advantages of free software. Software companies can build on existing. This does not have the famous wheel be reinvented with each development, you can focus directly on what is actually new and innovative instead. Among other things, prevented so that similar mistakes are made repeatedly, instead to build on already established, well-tested building blocks and even thereby reduced the error rate. The banal conclusion that faster development results in more software and more software and more errors in software, is not surprising. Nor should it surprise but that this is true of any software. Regardless of the license. Nevertheless, no one wants to end up well without increasing productivity through better tools, licensing and development models in software development.
The statement that Free Software nobody is responsible to find and fix bugs, want I also do not leave unchallenged. Actually, it is no different here than with proprietary (non-free) software.
Responsible for is a course developer. Behind the development of Free Software are now in most cases companies. This requires that you look at even just the list of Linux kernel developers and their company affiliation. For other companies, the Free Software are selling, the responsibility. These include, for example, RedHat, Canonical or SuSE, just to name a few. Last but not least is the one who uses the software, the responsibility to review the quality and safety of the components used. Among the companies that employ free software, you will find names such as Amazon, Facebook and Google. These companies have large departments which deal exclusively with the safety of the software. Thanks to Free Software whose work also small businesses benefiting states which can not afford their own security department. Especially for companies that can not afford their own security department, know that without the agreement of Service Level Agreements with a corresponding provider can not ultimately the responsibility to pass on to others. Such agreements are of course in the use of proprietary software from third parties. Is not one willing to bear the responsibility themselves, then one should at the point not save software with the use of free.
A complete review of the individual components, which themselves have not been developed, has become the main challenge, whether a company is based on free software components or buys proprietary third-party components. Free software at this point two main advantages. The fact that one is not the only one who uses this software, increasing the likelihood that as soon as possible errors are actually discovered. Another important advantage is that you can understand often much better in Free Software, who has introduced what program code. Especially modern developer platforms such as GitHub make this very easy. A transparency as one seeks in vain mostly with proprietary software.
Free Software shows his strength just after a vulnerability as currently DROWN was discovered. Such a discovery unit in Free Software usually very quickly to the public, while vulnerabilities in proprietary software are often more hidden, so as not to harm the company. The way it is handled in Free Software, has two positive effects. Firstly, it provides criminals less room, the vulnerability on the black market to market and exploit. Secondly, different parties can independently correct the error and take appropriate safety measures, while one can only wait with proprietary software until the manufacturer fixes the bug and delivers an update.
The fact that this system works well, we at heartbleed seen. This vulnerability has been, among others, Google, which employs thousands of free software itself, discovered and fixed, and then made available to the public immediately. Heartbleed has also led to the creation of the “Core Infrastructure Initiative”, which invested heavily in projects that enhance the security of Free Software.
In conclusion, it can be said that free software is not necessarily safer, although as proprietary software. The freedom of the software – which is the ability to use them for any purpose, to study, share and modify – but represents a necessary condition for security you can imagine it like a door lock.. Everyone knows how such a lock is constructed. Many independent experts were able to examine and improve the concept over many years. Only in this way it was possible to develop secure locks. By secrecy has never been achieved in the long term and sustainable security.
No comments:
Post a Comment