Is Open Source More Secure?
HTML-код
- Опубликовано: 28 май 2024
- Get the guide to cybersecurity for genAI → ibm.biz/BdmjSN
Open Source Software Foundation → openssf.org
Are Linux and other open source software vulnerable to malware?
In this video, cybersecurity expert Jeff Crume explores the consideration of open source security to explain how vulnerabilities are discovered and mitigated and shares key resources that can help.
Get the latest on the evolving threat landscape → ibm.biz/BdmjS7
The major drawback of relying exclusively on open source projects (and I admit to doing the same at my workplace) is that they are considered "secure and tested" by default. Of course there are projects (e.g., Linux, AES, etc.) that undergo a high level of testing before being released as a new version, but we usually forget that these projects rely on other projects that in turn rely on other projects, and so on. Therefore, the status of individual tests should be checked before any upgrade or installation, running more tests internally (where possible) to ensure a lower level of possible attacks on the supply chain.
Very well said!
Open source eco systems have their problems but it's always going to have more eyes than closed systems. There is a problem of a lot of people using open source but not contributing.
Agreed. I’m a fan of open source. It just isn’t perfect. Nothing is
Excellent description of a timely topic. Thank you!
Thanks so much!
I love these IBM learning videos. They're so lucid and dynamic. Thank you Jeff.
Thank you for saying so!
the 1000 eye argument is also not valid if you check that some stuff is only maintained by a handful of people
Very true. And even if we have the 1,000 eyes, they may not all know what to look for
Your level of making things understandable is insane. Thanks for the nice material in this delivery. We have missed you in the IBM videos :D
Thank you so much! I’ve missed doing these but should be back in the studio soon
When you talk about failure of opensource i would like to share that it's there respective community who encouraged hard-coded password to write inside the code, it's not software failure rather than those community discourage individual to write or make secure product by not mentioning in their document. Also today processors are advanced and they do in memory encryption which can be used by these open source software to secure or turn this failure into success
Agreed. We need to get the word out so that people start doing this instead of
Open source software can be only be secured if the dev or admin knows about security and he has done audit its softer ware security, otherwise I can see that if source code is open or available that does not mean it's secure because source code is available or visible.Any attcker can read the code and design the exploit specifically, overall the dev or owner should be smart enough to turn it into secure
3:44 As AI advancements come, I am very sure that automated code inspection to find vulnerabilities is very close, when AI finds something it will be derivative to a human being doing a manual inspection.
Great advances in security are coming, much more with the large context windows that are being generated with almost no flaws, will it be with GPT-5, Gemini Ultra 2.0 or Claude 4, or the next generation, I really don't know, but, I'm excited.
Great summary, thank you!
I’m glad you liked it
Open source is self organizing and more scalable. With open source products, a community of maintainers, contributors, and users share amongst themselves the burden of identifying and solving problems. With closed source products, a handful of employees of an organization must wear all the hats. Closed source is also tempted by "security by obscurity"; a non-option for open source.
All true. Which is why IBM has been a leading contributor to open source projects in Linux, cryptography (including quantum safe) and others
How does he mirror write? 🤷🏼♂️
Cool video 👍
Transparent glass and flips horizontally in the edit
Wow... It was 2006-2007... Almost 20 years ago...
There's no answering the question in the abstract. It cuts both ways. If your code is open, there is more pressure to implement the best available practices, and because it is open it will put those practices to the test. If it's closed, it could still be using the best practices and/or obfuscation, which actually can add security in the right context. That's all you can say. You're welcome.
I agree!
Awesome presentation!
Thank you!
As a developer security by obscurity is my daily business.
How'd you get the eyes to blink 😮
That was some nice work by the guy that edited the video. We can add drawings like this later in the post production process where animations are possible
I remember, our Computer Science 101 Laboratory at the College of Engineering was on Linux. At first, I was surprised how weird it was because our Computer lab in high school was on Windows...
It was my first experience of Linux.
Ubuntu, Linux.
I asked why we were using Linux... And the answer that I got was that it was open source. Again, my first experience of the phrase "open source".
But they also further added that we were using Linux because, compared to Windows, it was more immune to computer viruses... But not totally...
Windows is great... It is preferable but Word, Excel, the whole kit and caboodle, is already not free.
Windows is great but it is not free... And I am in a third world country... So... 🤷
😂😂that is why 99% of windows used to be p!rated before most OEMs started shipping it out of box specially after 10.
closed source is already a malware
Nice short video tutorial...
Thanks!
Very nice
Here's a thought, why not train an AI to look for zero-day exploits in open source code. Switching to Linux would then be a no-brainer
No doubt that is already happening, unfortunately. The positive side of this, though, is that if the good guys use the same tech to identify vulnerabilities, then maybe they will be able to fix them sooner as well
"I can see the source code..." Which you can also do with "proprietary" software, if you have, say, a decompiler. The translation between human-readable code and machine code is far more understandable than say the translation between the English language and Arabic. So no, "proprietary software" isn't a "black box".
I will still use linux over window$ any day.
I don’t blame you 😊
Same here
Yes... It can...
♥♥
It is but like any other system, it can be hacked too🤞🏾
If it’s operational, it can be hacked
First, learn what Linux is. This will be a good first step.
Watson daishta
Richard Stallman (the "king" of open source) and his ilk gave us the original libstd that is used in every UNIX distribution - and that was the source of a huge number of security vulnerabilities. Where were the "1,000 eyes" looking at it when it was blessed by Stallman et al? The vulnerabilities in libstd were the result of undisciplined programmers who were more concerned about performance than they were about security. They cut corners like sloppy teenage programmers.
Yeah, because closed source does better, right ?
Exactly. Nobody (and no software) is perfect
Hi
Since this "expert" started the video by implying a comparison with the unnamed (but clearly obvious) Microsoft products, he should be fair and objective and say the fact that in contrast, THERE ARE THOUSANDS OF MALWARE ATTACKING AND INFECTING MICROSFT wINDOWS OS EVERY SINGLE DAY. With this in mind, the implied comparison loses its meaning and purpose, and the two or three security issues that affected Linux over the last three decades pale in comparison and are negligible compared to the Microsoft Windows never-ending security breaches.
- I would drink Linux collada all day, seven days a week, with these one-in-five-years' security issues rather than using any of Microsoft's "amazing" products or services for one hour.
Microsoft would pay a billion dollars to promote this guy and this video, I even suspect that he works with Microsoft.
LOG4J and the few other vulnerabilities (including the one related to XZ module that was discovered last month) are NOT malware, they are backdoor code inserted by bad actors from within the people responsible for maintaining the open source code. ( they are two entities that benefit from creating those security issues and are therefore suspected of planting those backdoor security breaches: Microsoft and state-level intelligence organizations).
I can assure you, I have no affiliation with Microsoft. In fact, I haven’t used Windows OS in more than a decade. However, to say that there are only 2 or 3 security issues with Linux over the past 3 decades is not supported by the facts. As Linux has become more popular, it has become a larger target and attackers have taken notice. No software (open or proprietary) is completely secure. I’m a big fan of open source. It just isn’t a magic cure for all security issues
Great talk thanks for being so open!
I’m glad you liked it!