12 February 2002 Open and closed approaches to security – and source code – offer little difference in terms of security, according to Cambridge professor and computer security expert Ross Anderson.

The head of the University of Cambridge computer laboratory was stepping into a debate fiercely contested both in the computer security industry, by gurus such as Counterpane’s Bruce Schneier, as well between commercial software vendors and open source software advocates. But Anderson’s conclusion is that neither approach is inherently better in terms of security.

Anderson argues that all software will have more or less the same number of bugs and other flaws in it, regardless of whether it is open or closed source. What is important is the rate at which bug fixes are produced and applied.

“A practical decision on whether to keep the design of a system secret or to open it to public inspection will depend on the extent to which it departs from standard assumptions about the statistics of bugs,” said Anderson, who was speaking at a Linux User Group meeting in London’s City University.

His conclusion follows an extensive statistical analysis on the subject, published in a recent briefing paper.

However, he warned that there might be any number of factors that might cause this assumption to break down, such as the skill of the software developers, the ease and cost of applying patches and the development of new types of attacks.

Links
Professor Ross Anderson’s home page.
Security in Open versus Closed Systems
Professor Ross Anderson’s 13-page briefing paper.
Requires Adobe Acrobat reader.