X

Sun exec defends open-source security

Whitfield Diffie, chief security officer at Sun Microsystems, says businesses have a "moral responsibility" to audit software code to guard against vulnerabilities.

Peter Judge Special to CNET News
See full bio
Peter Judge
2 min read
PARIS--Whitfield Diffie, the inventor of public key cryptography and now chief security officer at Sun Microsystems, spoke out Tuesday in defense of the security of open-source software.

In a keynote address at the RSA Conference here, Diffie defended open-source software against an attack made earlier at the same conference by Microsoft's chief security officer, Craig Mundie.

During his keynote speech, Mundie had labeled as a "myth" the idea that open-source software can be more secure than closed, proprietary software. "Just because people can look at software, it doesn't mean they will," said Mundie. "You need trained people looking, not just arbitrary people."

Open-source products have steady streams of vulnerabilities, Mundie said, arguing that closed-source, proprietary software gives users a clear point of responsibility where problems will be fixed--the software vendor. "People need an incentive to do the grungy work (of checking security aspects of code)," he said.

"Craig's right," said Diffie. "But there is an asymmetry here. Who is the most important person who should look at the code? You--the enterprise--have a moral responsibility to audit that code."

Since Microsoft has said that it is unlikely to take legal responsibility for the security of its code, Diffie's suggestion may gain credibility.

Diffie denied that there was any trade-off between security and usability, saying that if the security risks are properly understood, then security measures become a prerequisite of usability. Car keys make it more complex to lock and leave a car, he said, but they allow a person to park that car anywhere.

Diffie also said that security cannot be delegated, nor can a user rely on one company for security. "Openness is essential for trust," he said, referring to open-source code, as well as compatibility.

In the future, software will be increasingly important as a defensive tool, he added: "As security migrates further from human intervention, it migrates further from natural human methods of security."

Sun's involvement in security goes back to its foundation as the company that made servers for university Unix sites, he said, pointing out that the secure version of the Solaris operating system was created in 1990, and the mainstream version is now very close to it, with features such as compartmentalization built in. Other Sun achievements in security included Java, with its "sandbox" and byte-code verification.

ZDNet UK's Peter Judge reported from Paris.