InfoWorld Home / Security Central / Security Adviser / Don't fall for the monoculture myth
April 24, 2009

Don't fall for the monoculture myth

The idea that there's more security in using less popular software is not only false, but a smokescreen to solving the real security issues

| Print | 10 comments|
995 Recommendations

Here we go again: another expert recommending that people stop using a popular piece of software because it has too many vulnerabilities. In this case, I'm talking about F-Secure's recommendation to abandon Adobe's Acrobat Reader in favor of other PDF rendering programs, like Fox-It or any of the free alternatives available.

You'll often read similar recommendations to dump Microsoft's Internet Explorer (I work full-time for Microsoft) and use any other browser instead. To completely protect yourself, they'll advise moving off of Microsoft Windows all together.

[ Are Chrome, Firefox, Opera, and Safari more secure than Internet Explorer? See the Test Center guide to browser security. Learn how to secure your systems with Roger Grimes' Security Central newsletter from InfoWorld. ]

The idea is that protection can be gained by moving to a more secure product or that it's just inherently safer to use a less popular product because it is less likely to be attacked. Now, the former argument I can buy. If one product has weaker security than another product, who can blame you for switching? Of course, that argument is more complex than it first appears.

What is a more secure product? Do you measure that with known bug counts, severity of bugs, time to patch, or how often it is publicly exploited? And is the product you are moving to actually more secure or just attacked less often because it is not as popular? This leads to the other argument: When it comes to software, there's safety in fewer numbers of users. The idea is that when everyone is using the same application or operating system (OS), a computer monoculture is created that leads to more exploits.

On the face of it, it's a compelling argument, one that's hard to reason against. If we all use the same software, then attackers can write one piece of code to exploit us all simultaneously. It seems to make sense that moving away from a monoculture (an argument first popularized in a paper by Dan Greer and others in 2003) would reduce overall security risk.

Related Content...

White Paper

D2D Virtual Tape Library Replication Primer

This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.

Download now »

White Paper

An Alternative to Virtualization for Datacenter Cost Savings

Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.

Download now »

White Paper

Why Your Firewall, VPN, and IEEE 802.11i Aren't Enough to Protect Your Network

The emergence of WLANs has created a new breed of security threats to enterprise networks.

Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation

Download now »

White Paper

Bringing the Edge to the Data Center

Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.

Download now »
10 of 10 comments
Sign In or Register to comment
Gray_Hair 24-Apr-09 11:08am
Microsoft Security Advisor seems to be an oxymoron. First, that well publicized advice to move off of IE and ideally off Microsoft Windows all together was given in the context of demonstrated flaws, NOT for sake of monoculture. Those of us who understand security (and I mean security not just security from a technical point of view), understand full well that security by obscurity is no security at all. No Sir! The benefit of avoiding a monoculture is ECONOMIC, not security. In the twelve years beginning 1990, I had my software budget shredded eight times by unilateral changes to licensing terms by Microsoft. That will never happen again, because never again will I allow a vendor dependent monoculture to grow on my watch. Let me finish with the observation that you presented few arguments, but went for obfuscation, usually by misdirection, and ended up with over two paragraphs of the most heinous of Microsoft excuses, "it's the users fault", claiming 99.99% of exploits are social engineering! I find that offensive. The number and depth of flaws in Microsoft code are legend, and they are nobody's fault but greedy managers who know full well that sizzle sells, security does not. And who further consider the "security market" an opportunity! Real security experts, today, categorizing software flaws, from everywhere not just Microsoft, though Microsoft is no exception, still get 92% or more of software security flaws have to do with buffer overflow. Why is this acceptable? The one thing computers do well is count! Why do we continue to use software development tools that do not BLOCK this SIMPLE failure? $
kdx_kawboy 24-Apr-09 1:27pm
1 reply

Roger,
I agree the biggest problem lies between the keyboard and the chair. I use personal firewalls, AV software, passwords to defy dictionary hacks, never click through, don't open attachements and my computers have never been hacked. I've set up IIS servers that defy attacks. When it comes to security our biggest problem is all about idjits and not the technology.

zman58 24-Apr-09 9:53pm
1 reply
Roger, Do you actually believe what you have printed? Do you actually believe we would all be better off if everyone ran to Microsoft for their IT? What does monoculture have to do with security? If all systems have the same security flaws, then of course it makes life easier for the bad guys. On top of that, if that monoculture solution is not securely designed then the risks are cast widely across the entire monoculture. Bottom line is that if everyone is using the same software with the same weaknesses then risk factor goes way up. It does not take a rocket scientist to figure this out. Especially if that software is created in secret behind closed doors by a company that is more interested in extracting money from people than providing quality technical solutions. So you think that you have all of the security holes patched on your Windows systems? How many security flaws are there that the security folks know nothing about but the bad guys have at their disposal? How many security flaws are there that Microsoft knows about but have chosen to ignore? You can read all of the current literature and you still would not have answers to these questions because we are not privy to that level of information. The system is proprietary, secret, hidden behind closed doors. On the other hand, if people use different software solutions which are written to common open specifications (e.g. W3C), then competition prevails and any given threat is reduced. On top of that, prices are checked and solutions cost less. The customer is better served in this way. We do not need a monoculture propped up by an illegal monopoly controlling prices and availability of software and systems through fear, threats, tortious interference of business, and false pretense. This is not my judgment; As most people know, it was decided in federal court... http://www.justice.gov/atr/cases/f3800/msjudgex.htm I have been using Linux for more than 10 years now, and I can say that I have never ever, not one single time, had a breach, virus, or unwanted intrusion of any kind on any Linux system. On top of that I have never run anti-virus software on any Linux system. ---I wish I could say the same for the monoculture solution but we all know about that. ;)
Roger A. Grimes 27-Apr-09 5:39am
1 reply
I apologize if you think this came off as purely a pro-Microsoft promotion. It certainly was not my intent. My intent is to dispel the mistaken notion that moving away to less popular software, or to more products, will automatically make our security problems go away. If your intent is to have more secure products, you need to choose products that are truly more secure, and not just less popular. For example, moving to DJBDNS or Qmail to get more security is a wise move, because the products themselves are more secure than many of the competitors products. In the same vein, moving from IIS or Apache to some other, less known product, without really knowing its security status, isn't a smart security move, long-term.
kiernanholland 28-Apr-09 10:08pm
Security is a myth, you take risks with anything, its how you secure the distribution of the software and the process by which the software is created that makes software more secure. The reason less popular software is a better choice is the diversity makes it tougher on the writers of malware to exploit holes as there are more holes that have to exploit to take advantage of more systems.. If everyone uses the same software, one hold could mean a world of trouble. This is why open source is a better solution. It also means a diversity of solutions, and holes in one offshoot of the source code won't be the same on another, it makes it tougher to exploit for the writers of the malware. Besides I don't know why you are complaining, the organizations that open source most benefit are enterprise developers as it prefers individual intellect to shelf-software. The days of the software product solutions for businesses are over, shelf software will recede to the game boxes, where it belongs.
kiernanholland 28-Apr-09 9:58pm
The problem is this: Windows does not offer a package manager like that of Ubuntu that identifies free open source software from trustworthy locations to be downloaded and installed, thereby permitting the automation of signature checks to make the sources accountable for the distribution of the software. On windows the users are forced to find software from untrustworthy sites.. This is like Wal-mart's seeing people that are in the stores as customers by denying the customers security when leaving the stores. This is greed.. Greed is not good, greed is going to be the end of you (a capitalistic software development evangelist) and Microsoft. The reaper is at the door.. Closed source implies "proprietary" design, which is a lie, the flourishing use of open source is proof to that. The only commercial companies that will survive open source alternatives, are those who create real innovative solutions with mysterious internal workings. And people who pay for it, will, because it is affordable. Unaffordable software with unreasonable limitations on use and licensing, is part of the drive of open source development. And until the evangelists realize this, they will keep doing what the minister of information for Saddam Hussein were doing at the fall of Saddam's empire.. Do you really think you have a job? Journalist?
kiernanholland 28-Apr-09 10:23pm
1 reply
I don't believe you on your claims of exploits in open source applications. Can you point to your references? I know there are exploits revealed in open source applications, but on Windows you rely on the down loaders that vendors provide to maintain fixes, on Ubuntu its all automated and when a exploit is learned of, everyone's machines are updated or warned of exploits in programs, which you can download and patch, without any knowledge of the process.. Also closed source software does not share resources, you could have the same resources over and over again in different applications, adding to the gluttony of the Windows platform. In open source software distribution applications applications are distributed not as a package but a combination of shared libraries plus the original executable part.. This means there is less gluttony in the platform as there is less redundancy, and fewer places to look for security holes. But you also have many eyes looking at those oft-used libraries to make sure they are correct.. Whereas on the Windows platform, you will have several packages installed, most using the same libraries or similar code, less reuse, and if there is a security hole in one library, it will be repeated for every package.. So then each package has to be fixed once the developer begins to realize it is in their package as well.. Security holes replicated with the redundancy of the code. Where is there a dependency distribution system in Windows? What kind of package manager could do that for closed source capitalistically driven software? None, it's too much of a legal complication.. It's comparing apples and oranges.. Or apes to orangutans.
Tragicomix 29-Apr-09 11:10am
You are in total denial.
oiaohm 4-May-09 4:32pm

This article is right and wrong at the same time.

OS or Application Multiculture does not give security alone this is correct. OS security Multiculture can give better security. Most people are thinking about OS secuirty Multiculture when they say Multi OS.

Simple reason for the Multi OS mix up is Linux Distributions are not Different OS's but have different flaws and different secuirty settings so providing higher security than what a single item of Linux out there would.

Something MS said for years is still true just MS interpretation was wrong.

Secuirty through obscurity

MS took this to mean keep source code secret it does not. What it means the attacker must not know what the system is on the other end. Closed source cannot do this alone due to it not changing so attacker can know what it on the other end.

Linux kernel has 2 different security systems soon to be joined by a 3. This make the problem far more complex for an attacker since system could be running any one of the 3. Windows has one built in Secuirty system that it always runs with.

Linux kernel also has patches for other not mainline security systems. This so means in the obscurity to attacker Linux is winning. Even if you have the distribution user is using you don't know the secuirty system that is in play.

From a simple risk of detection is safer to attack windows. Linux's will be gaining real-time scanning and other windows virus prevention tech methods as well.

Linux and a lot of other OS's have gone the path of obscurity. There is no point knowing that X program has a flaw if you don't know by exploiting it you will get traced.

Monoculture of windows secuirty has made it the sitting duck it is today. Some anti-virus companies have tried hacking in a secondary secuirty system like Norton's but this has lead to users of that having an unstable computer.

Problem for MS is giving up what third parties need to replace the secuirty system of windows also means giving up drm and control of there OS.

Secuirty Monoculture's are always a higher risk. There is a lot more that could be done to make obscurity better on Linux like not web adversing that you are running a particular distribution of Linux unless its wrong.

Taking away for attacker to find out what secuirty system the attacker as in advance means the attacker is now playing russian roulette so reducing the effectiveness of attack.

True Obscurity provide attack with false leads so they are detected before they enter system.

infosec 5-Jun-09 5:46am
Neither monoculture nor diversity will save us. Rather, we must design and manage systems with a defense in depth approach that interleaves attribution, access control, least privilege, least functionality, and system integrity. The moment foreign code is allowed to run on a box is the opportunity for it to exercise vulnerabilities in the context of executing process. We are doomed by our lack of knowledge of the software components in our systems. Knowing the integrity and authenticity of every software module is best means to detect successful attacks. Enforcing integrity (white-listing) will emerge as the principle defensive method regardless of the software publisher.

Sign up to receive InfoWorld Resource Alerts

Subscribe to the Today's Headlines: First Look Newsletter

Find out what will be news for the day, with our first-thing-in-the-morning briefing.

White paper

Log Management: How to Develop the Right Strategy for Business and Compliance

This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.

Download now! »

White paper

The Essential Series: Security Information Management

Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.

Download now! »

White paper

Aberdeen: Choosing and Consuming Managed Security Services

Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.

Download now! »
©1994-2009 Infoworld, Inc.