From the Security Wire Perspectives newsletter. By Douglas Schweitzer, Contributing Writer:

“With costs of software flaws exacting a huge toll on organizations –
NIST pegs it at nearly $60 billion annually in the U.S. alone — many
security experts advocate the use of open-source applications, which
they say have fewer undiscovered, unpatched flaws.

“When software’s source code is openly available to the public, as is
that of the Linux operating system, it lends itself more readily to
modification. The Linux operating system allows third-party
developers to adapt code to meet their needs, leaving it extended and
modified in an improved state for subsequent users. Advocates of open
source software point out that since underlying code is freely open
for inspection, more eyes examine it, which results in more errors
being uncovered and promptly patched. From a security standpoint,
this makes for a broader redistribution of the software and provides
the added benefit of having numerous patches and repairs occurring
from a variety of sources. The software evolves at a faster rate than
is seen in proprietary software.

“Linux isn’t only appealing because it garners review from a large
audience, but that it’s free may be even more attractive. According
to Marcia Wilson, CEO of Wilson Secure in Pleasanton, Calif., ‘There
is great flexibility when using open source software; and it’s free!
However, the most attractive part about it is that the open source
community is huge, global and responsive. If you have a problem with
code, you can quickly get a fix, or answers, or assistance through
these communities. Large private software companies can’t move that
fast and often can’t provide a fix until the next release of the
software.’

“The debate concerning the security of Linux is tempered by the fact
that ‘if the security provided by a particular installation is not
sufficient it can be modified to ensure the highest levels of
protection,’ said Dave Wreski, CEO of Guardian Digital Inc. in
Allendale, NJ. Even the U.S. government uses Linux and other open
source software, with over 250 deployments in use by the Department
of Defense, according to the Mitre Group. ‘The United States
government, with special regard to the Department of Defense, puts
security and confidentiality to the highest standard. Any code chosen
for critical government or military systems must undergo countless
hours of analysis and vulnerability assessment,’ he said.

“‘If that’s not enough to convince skeptics,’ Wreski added, ‘Linux truly
focuses on the security of the system and its capabilities and
strengths continue to improve, surpassing those of proprietary
vendors like Microsoft.’

“While Linux is considered most secure by many in IT security,
Microsoft hasn’t yet thrown in the towel. Said Tony Bradley, a
security guru for a Fortune 100 computer services firm, ‘In my
opinion most variations of Linux are more secure by default. However,
Microsoft is working hard to fix some of [its] issues by turning
security features on by default and turning off some of the
vulnerability-prone services by default in newer versions and with
the latest service pack updates. Linux generally installs with a
number of third-party open source programs though which have their
own issues and vulnerabilities.’

“The bottom line: Whether opting for open or closed source software,
any and all operating systems will still require administrators to
monitor for security flaws, possible viral infections, and the
possibility of breaches through firewalls.”