Will Security Task Force Affect OSS Acceptance?

An anonymous reader writes "An interesting article published by SD Times: "Application Security Goes National" discusses some of the talking points generated by a federal task force that will make recommendations to the Department of Homeland Security. One of these talking points is to license software developers and make them accountable for security breaches. Licensed developers would get paid more as well. The article also mentions that "Executives" might not wish to work with smaller undiciplined partners and a little further down that "Hobbyists create Web services [and] professionals create them" and that "companies relying on critical infrastructure Web services need confidence". Would OSS have to be writen entirely by licensed developers to be considered secure? . Yahoo Finance has another article on the subject." The SD Times article is current, despite the incorrect date on it.

Why is some software more secure than others?

[the+man+with+the+pla]

I got annoyed at the slashdot comments last time there was security hole in OpenSSH and wrote this page (copy pasted below). I count OpenSSL as insecure software - we need a secure replacement. GNUTLS looks somewhat better, but I don't trust it too much either.

Why is some software more secure than others?

How do you measure software security?

Here's my definition on what is secure software.

Intro

I get really tired of seeing these kinds of comments every time some widely used software has security holes:

• No software is secure. The difference is how quickly they fix it.
• It's good that they were found. Now we have less security holes.
• Popular software gets more security audits which is why they seem to have more security holes.

While they may be partially true, I think they're also very misleading and disparages the hard work that some secure software authors have done.

Simplicity Is Security

The difference between secure and insecure software is really the coding techniques being used by it's authors. Authors of secure software do everything they can to prevent accidental mistakes from ever happening. Authors of insecure software just fixes the accidental mistakes. There are very few secure software authors.

Auditing insecure software doesn't make it secure. Sendmail is a good example of this. It's been audited countless times by competent people. The simplest mistakes were catched easily long time ago, but a few very difficult to find vulnerabilities were found only recently.

How do secure software authors then avoid the kind of security holes that are difficult to find? By keeping the code simple. The code doesn't get secure by polluting it with tons of security checks. It gets secure by keeping the security checks in as few places as possible.

Auditing secure software is easy. You can just quickly browse through most of the sources without having to stop and look at it carefully. Everything just looks clean, simple and correct. vsftpd is a good example of this.

Sure, it's still possible that secure software has some security holes occationally. It just happens a lot less often (if ever) and usually the problems are less critical. For example none of the security holes in Postfix have lead to arbitrary code execution or being able to read other peoples mails. Denial of Service attacks are nothing compared to them.

(some examples in the web page not included)

--
Brought to you by the DB tool
7098931

Re:Good concept, illegal in practice

[boobsea]

A title of nobility grants special rights or privileges upon someone.

Hence, a license to practice medicine is a title of nobility.

However, states are free to grant such titles.