Open source vs closed source: opinions from a virus analyst

Kaspersky Lab's David Emm weighs in on open source security

David Emm, Kaspersky Lab senior regional researcher, Global Research & Analytics Team.

David Emm, Kaspersky Lab senior regional researcher, Global Research & Analytics Team.

Open source security is a hot topic in the IT world. Some people believe that open source solutions are a potential playground for mischief-makers and cyber criminals, while others swear they’re safer than proprietary software. During a Kaspersky Lab press tour to Croatia, PC World Australia caught up with David Emm, a senior regional researcher in the Kaspersky Lab Global Research and Analytics Team. Here’s what he had to say about open source security.

PCW: Are open-source applications more or less secure than their closed-source counterparts?

David Emm: There are two ways of looking at it. With open source, more people can get their eyes on code. At first appearances, the immediate thought is that if the bad guys can see the code they can prod it and poke it, which perhaps makes it more vulnerable. On the other hand, it can also work the other way. The open source model is laid out for everybody to contribute to — it’s not just bad guys looking at the code and seeing where there may be vulnerabilities; good guys do too. So I don’t actually think there’s much to call between one and the other.

PCW: So who does open source aid more — good guys or bad guys?

David Emm: Any solution, particularly in regards to security, has to be well coded and updated regularly right from the word go — so it all depends on the individual application. When Windows Vista was developed, security was one of the key features that Microsoft factored into it. I think this has to be just as true of any solution in the open field. Basically, if somebody can find a security loophole, they will exploit it.

PCW: What are some of the chief security pitfalls for open source users?

David Emm: Whatever system you’re running, the key is still the same: you need to protect it. This involves Internet security products, firewall products, vulnerability-scanning and so on. But it also means patching. With open source mechanisms, this may require you to be more proactive as they don’t always have automatic updates. So, if I’m running OpenOffice, I’ve got to ensure any available patches are in place myself. As a consumer, the onus is on you to take the appropriate steps — don’t rely on whatever application you're running to update security by itself.

PCW: In your experience, how does open source security software shape up compared to commercial products, like those from Kaspersky Lab?

David Emm: With commercial solutions, there has to be a built-in support network for everything — all the way down to installation. This is a pretty key — it’s the difference between providing a spade for the gardening and providing a gardening service. We provide the support infrastructure which may not be there [with open source applications]. We have a full-on customer service team and that’s pretty much what they do 24/7. With a non-commercial product, it’s difficult to see how they could provide this same level of support. I think this is the main differentiator.

PCW: Generally, do you think open source users are more security conscious?

David Emm: I think in most cases they’re more security conscious. For instance, if you think of people who go for Firefox over IE, a chunk of them would have made that decision because they’ve read or heard about vulnerabilities for Internet Explorer. They’re perhaps better informed that the bad guys target commonly used systems, which makes Firefox potentially safer. Ironically, it’s now a bigger target for vulnerability attacks than when it first launched, because a lot more people are using it. I think a lot of closed source users assume they’re safe because the code is hidden — they’ll play poker because nobody can see their hand. But I think these people are playing a dangerous game. Obviously, just because an application is closed source doesn’t mean it won’t have vulnerabilities.

PCW: Where do you see IT security going in the future?

David Emm: I think one of the biggest challenges is going to come with cloud computing. One of the main drivers of cloud computing is cost, with less attention paid to security. One of the dangers is that if companies begin to outsource applications and security measures, they will lose direct control of their customer’s data — the applications that manipulate the data are all off-site. We need to find ways in which everyone can feel comfortable about how secure the data in the cloud is. What worries me is that security doesn’t always get looked at right up front.

PCW: But surely people will demand higher security measures from cloud computing services? After all, if the data isn’t on your personal hard drive, there’s more to be paranoid about.

David Emm: You may be right. But if you look at the whole Web 2.0 thing, people are not necessarily thinking security — they’re thinking convenience. They want a two-way relationship, where they don’t just get fed but also contribute to the meal. They may think the convenience of having information in the cloud is great, but they won’t necessarily think about what the security implications could be. On a consumer level, many people simply aren’t aware of the potential risks — they don’t have the knowledge. And on a corporate level where cost is a driver, it may only be a priority after something bad has happened. In all areas of society, we tend to get bitten by something before we become aware of the potential threat.

Chris Jager flew to Croatia as a guest of Kaspersky Lab.

Follow PC World Australia on Twitter: @PCWorldAu

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags kasperskykaspersky lab

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Chris Jager

PC World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?