1

With the recent news that microsoft are releasing the source code for their ASP.NET Web API and web pages 1 I'm wondering,

Does having access to the source code of the underlying libraries a web applicaiton is built upon give a hacker an advantage, i.e. is it less secure than if the hacker didn't have the source?

I'm guessing not, as there are many successful open source web libraries/engines around, but then my question is why is it not an advantage?

1 Note that the source code for ASP.NET MVC has been available since version one.

George Duckett
  • 113
  • 4

3 Answers3

8

The key here is that with closed source code, the onus is on protecting that code - attackers may try to steal the code, reverse engineer it, or just attack it. The internal processes should be designed to identify vulnerabilities and fix them, but the numbers are quite skewed:

  • Attackers: many Defenders: few

With open source code, there is a slightly increased risk that the attackers may identify new vulnerabilities, but importantly you end up with many more potential defenders identifying code vulnerabilities and informing the code writers:

  • Attackers: many Defenders: many

Have a look at this question comparing open and closed source as it may answer all your questions. If it does, we can close this one as a dupe.

Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
2

Obviously, there is not one correct answer to this, but here are my thoughts on it:

It is an advantages for an attacker to have the source code. Black-Box testing/attacking is - for obvious reasons - harder. Knowing how things work exactly is always better than guessing how they might work. Also, tools that search the source for possible vulnerabilities, well they require the source ;)

But releasing the source also has advantages (at least in theory). More people will read the source code and bugs relevant to the security of the program will surface faster. This is obviously only an advantages under two conditions: 1. People actually DO read the source code and report issues. 2. The developers fix the issues in a timely manner. Both points are somewhat controversial. People behind the open source idea often suggest that point 1. happens a lot (which I am not that sure of) and practice shows that point 2. is not followed by many developers (however, if the vulnerability was published openly, any user is at least aware of it and can act accordingly).

So to summaries, it is definitely an advantage for an attacker to have the source code, but the more people review the source, the more bugs are hopefully fixed.

tim
  • 29,018
  • 7
  • 95
  • 119
  • So in answer to my bolded question, it is an advantage, but not for long providing you keep updating to the latest version of the source (and the crowd actually fix the vulnerabilities). Have I got that about right? – George Duckett Mar 29 '12 at 13:08
  • @George Basically, yes. Knowing the source makes attacks easier for the attacker, but the developers might decide to publish the source anyway as the security of it improves overall (and thus, the benefits outweight). And keeping to the newest version of anything is always a good idea for the end user. – tim Mar 29 '12 at 13:16
1

It is always possible to get the source code to a closed application.

Therefore, by a technicality, all source code is open-source. There is no such thing as "closed source".

It is best to assume that you source code has already been stolen by your adversaries.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 1
    "It is always possible to get the source code to a closed application." pls shed some light – Karthik Apr 02 '12 at 06:46
  • 1
    I'm assuming he means things such as social manipulation, malware on developer's PCs, getting a job and walking away with the source, security breaches, .NET decompilation or any number of alternative ways that source gets leaked. – StrangeWill Apr 03 '12 at 15:10