Security: An Apples-To-Open Comparison?Security: An Apples-To-Open Comparison?

Here is a question which has been bothering me for some time now, and which doesn't stand much of a chance of resolving itself. Is comparing the much-vaunted security benefits of open source software to similar proprietary apps a false comparison?

Part of this was inspired by news of another (yes, another) exploit in WordPress. Admittedly it's one that targets a slightly older version of the software, but WordPress is infamous for this sort of thing. The blogging platform I use myself, Movable Type, has rarely been attacked in the same fashion. When I mentioned this discrepancy to my programmer friend, he gave me a bemused talk about the way PHP has made it possible to write both very popular and horribly insecure web applications.

But then I popped the bigger question: Doesn't it make more sense to compare the security benefits of a given open source application only to other open source applications? Since proprietary apps are by definition closed, we can't conduct our own audit and find out how exploitable the code is, so it doesn't make sense to compare them.

So why do we do it? Probably as a selling point -- as a way to convince people that open source is better across the board. But that's something that should be decided on an application-by-application basis. If a given application is better for one's needs, it shouldn't matter how it was developed; its merit should be in the using.

Maybe part of the problem is that security metrics themselves are a mess, because we mostly go by number of reported and closed incidents -- which is about all we can go by. Unless we set up some authority (who?) to audit code line-by-line ... and from all I've seen, the best security comes from well-trained programmers who write security-conscious code, not auditing.

One possible comeback to this is the old saw about how open source is inherently that much more improvable. I agree with that, but I've learned to temper my enthusiasm: what matters more is whether or not there are the right people in the right position to fix what's wrong with the program. Yes, you can fix it yourself -- but I'm learning that the number of people truly qualified to fix egregious security issues may be even smaller than the number of people qualified to detect them.

All I'm saying, in the end, is that we should make fair comparisons on both sides. It makes the most sense to compare things like MT and WP to each other when talking security, and not to proprietary products where the nature of security is an entirely different game altogether.

information has published an in-depth report on Sun's future under Oracle. Download the report here (registration required).

Follow me and the rest of information on Twitter.