Open source vs closed source: opinions from a virus analyst

Kaspersky Lab's David Emm weighs in on open source security

David Emm, Kaspersky Lab senior regional researcher, Global Research & Analytics Team.

David Emm, Kaspersky Lab senior regional researcher, Global Research & Analytics Team.

Open source security is a hot topic in the IT world. Some people believe that open source solutions are a potential playground for mischief-makers and cyber criminals, while others swear they’re safer than proprietary software. During a Kaspersky Lab press tour to Croatia, PC World Australia caught up with David Emm, a senior regional researcher in the Kaspersky Lab Global Research and Analytics Team. Here’s what he had to say about open source security.

PCW: Are open-source applications more or less secure than their closed-source counterparts?

David Emm: There are two ways of looking at it. With open source, more people can get their eyes on code. At first appearances, the immediate thought is that if the bad guys can see the code they can prod it and poke it, which perhaps makes it more vulnerable. On the other hand, it can also work the other way. The open source model is laid out for everybody to contribute to — it’s not just bad guys looking at the code and seeing where there may be vulnerabilities; good guys do too. So I don’t actually think there’s much to call between one and the other.

PCW: So who does open source aid more — good guys or bad guys?

David Emm: Any solution, particularly in regards to security, has to be well coded and updated regularly right from the word go — so it all depends on the individual application. When Windows Vista was developed, security was one of the key features that Microsoft factored into it. I think this has to be just as true of any solution in the open field. Basically, if somebody can find a security loophole, they will exploit it.

PCW: What are some of the chief security pitfalls for open source users?

David Emm: Whatever system you’re running, the key is still the same: you need to protect it. This involves Internet security products, firewall products, vulnerability-scanning and so on. But it also means patching. With open source mechanisms, this may require you to be more proactive as they don’t always have automatic updates. So, if I’m running OpenOffice, I’ve got to ensure any available patches are in place myself. As a consumer, the onus is on you to take the appropriate steps — don’t rely on whatever application you're running to update security by itself.

PCW: In your experience, how does open source security software shape up compared to commercial products, like those from Kaspersky Lab?

David Emm: With commercial solutions, there has to be a built-in support network for everything — all the way down to installation. This is a pretty key — it’s the difference between providing a spade for the gardening and providing a gardening service. We provide the support infrastructure which may not be there [with open source applications]. We have a full-on customer service team and that’s pretty much what they do 24/7. With a non-commercial product, it’s difficult to see how they could provide this same level of support. I think this is the main differentiator.

PCW: Generally, do you think open source users are more security conscious?

David Emm: I think in most cases they’re more security conscious. For instance, if you think of people who go for Firefox over IE, a chunk of them would have made that decision because they’ve read or heard about vulnerabilities for Internet Explorer. They’re perhaps better informed that the bad guys target commonly used systems, which makes Firefox potentially safer. Ironically, it’s now a bigger target for vulnerability attacks than when it first launched, because a lot more people are using it. I think a lot of closed source users assume they’re safe because the code is hidden — they’ll play poker because nobody can see their hand. But I think these people are playing a dangerous game. Obviously, just because an application is closed source doesn’t mean it won’t have vulnerabilities.

PCW: Where do you see IT security going in the future?

David Emm: I think one of the biggest challenges is going to come with cloud computing. One of the main drivers of cloud computing is cost, with less attention paid to security. One of the dangers is that if companies begin to outsource applications and security measures, they will lose direct control of their customer’s data — the applications that manipulate the data are all off-site. We need to find ways in which everyone can feel comfortable about how secure the data in the cloud is. What worries me is that security doesn’t always get looked at right up front.

PCW: But surely people will demand higher security measures from cloud computing services? After all, if the data isn’t on your personal hard drive, there’s more to be paranoid about.

David Emm: You may be right. But if you look at the whole Web 2.0 thing, people are not necessarily thinking security — they’re thinking convenience. They want a two-way relationship, where they don’t just get fed but also contribute to the meal. They may think the convenience of having information in the cloud is great, but they won’t necessarily think about what the security implications could be. On a consumer level, many people simply aren’t aware of the potential risks — they don’t have the knowledge. And on a corporate level where cost is a driver, it may only be a priority after something bad has happened. In all areas of society, we tend to get bitten by something before we become aware of the potential threat.

Chris Jager flew to Croatia as a guest of Kaspersky Lab.

Follow PC World Australia on Twitter: @PCWorldAu

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitykasperskykaspersky lab

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Chris Jager

PC World
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?