How Good Is Cisco's Security Planning?

from the as-if-it-were-open-source? dept

In the ongoing (and somewhat silly) debate between open source advocates and proprietary software advocates, both sides like to brag that their method is better for security. Proprietary software advocates point out that by hiding the source code it's much harder for anyone to determine vulnerabilities, and allows the owner of the software to patch them quickly. Open source supporters contend the opposite is true. If the code is open, then everyone knows what's available so the natural security of the program needs to be top notch. If it's not, lots of people can contribute to a fix quickly. Well, that debate has become a bit more interesting now that everyone is scurrying around talking about how Cisco's IOS source code was swiped last week and people are wondering what sort of vulnerabilities will be turned up and exploited. Eric Raymond (whose beliefs supporting open source are well known) makes the very reasonable point that anyone developing proprietary software really ought to design it as if the source were open - in order to deal with exactly these situations. If Cisco had open sourced their IOS in the first place, the argument goes, people wouldn't be worried about vulnerabilities right now. That does leave out the other side of the story, but it is true that anyone developing software believing they can be lax on security because their source code is closed is living in a dream world. Not to say that Cisco's IOS isn't secure - but now lots of people need to worry about it.