X

Commentary: Trust no one

Gartner says that despite new attention given to software security, no software--whether proprietary or open source--will ever be 100 percent secure.

2 min read
By Richard Stiennon and John Pescatore, Gartner Analysts

Despite new attention given to security by powerhouse software maker Microsoft, and ongoing security measures by many open-source software makers, Gartner believes that no software--whether proprietary or open source--will ever be 100 percent secure.

Microsoft software has long been the target of hackers and virus writers, but in recent months the discovery of vulnerabilities in three different open-source products has put the question of open-source software security under scrutiny.

See news story:
Building trust into open source
Unlike proprietary software security programs that don't open code for public scrutiny, open-source software allows for public viewing. This process allows open-source software vulnerabilities to be discovered faster than those in proprietary software, and the spiral release-and-enhance model used in well-managed open-source products will result in higher-security applications more quickly than in the typical waterfall model seen with commercial proprietary software.

However, this does not mean vulnerabilities in open-source code won't go unnoticed for long periods of time or that vulnerabilities in proprietary code will never be disclosed early in the cycle. Nonetheless, over the long run, open-source software will reach a given level of security faster than proprietary software.

Microsoft's recent statements about a stronger focus on security shouldn't all of a sudden make businesses feel totally secure using Microsoft software. Nor should superior open-source security testing processes cause a Linux or Apache software user to feel overconfident. Vulnerabilities will always be found in private and open-source software, and customers should take steps of their own to ensure software security.

Businesses should emphasize security and reliability when making software purchases and update decisions. Doing so will drive software makers to invest in development processes designed to improve security.

In addition, enterprises should not accept out-of-the-box software as is. They should complement the software's intrinsic security with their own safeguards, including vulnerability assessments; the use of standard, hardened configurations and firewalls; and continuous checks and application defense maintenance.

(For a related commentary on Microsoft's new security initiative, see Gartner.com.)

Entire contents, Copyright © 2002 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.