Open Source Security: Still A Myth

jpkunst writes "John Viega (coauthor of a.o. Building Secure Software) argues in Open Source Securitey: Still A Myth at O'Reilly's onlamp.com that "open source software may currently be less secure than its commercial counterparts.". According to him, there may be "more eyeballs" looking at open source software, but he does not believe those eyeballs are looking for security problems in a structured way."

I have one word for you

[spif]

OpenBSD.

Developers! Developers! Developers! Developers!

Re:More Eyeballs

[MikeMacK]

Hmmm...I thought the point of the article was the Open Source security was a myth. I did read the article, by the way. I guess it should have been called, "Complex bugs not found right away, thus Open Source is not secure."

John Viega and Mailman

[waldoj]

For those who are or would assail John Viega's credibility, I should remind you who he is.

Most notable for the purpose of this discussion, Viega is the creator of Mailman, the fantastically-popular GPLd mailing list management software. All was good and well with his view of the many-eyeballs theory until, one day, he found a huge, glaring, holy-shit hole in Mailman a few years ago. He was so alarmed that nobody had ever spotted this that, after fixing it, he reflected on what he'd learned and turned it into a thoughtful article, The Myth of Open Source Security. As he wrote:

"For three years, until March 2000, Mailman had a handful of glaring security problems in code that I wrote before I knew much about security. An attacker could use these security holes to gain access to the operating system on Linux computers running the program.

"These were not obscure bugs: anyone armed with the Unix command grep and an iota of security knowledge could have found them in seconds. Even though Mailman was downloaded and installed thousands of times during that time period, no one reported a thing. I finally realized there were problems as I started to learn more about security. Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had."

Again, Mailman was and is an extremely popular program -- this was not a problem of obscurity.

So, the OnLamp.com article under discussion here is a follow-up to his original article, as he points out in the opening to the new article (but people apparently aren't reading.) As you can imagine, Viega is no rabid anti-OSS guy -- he's, in fact, the very model of what we want our developers to be. He writes good software, admits it when he writes bad software, and tells it like it is, even when we don't want to hear it.

(Disclaimers, such as they are: Viega is an adjunct professor at Virginia Tech, where I attend school, and I was the earliest alpha-tester of Mailman, in the late 90s.)

-Waldo Jaquith

OpenBSD is a good example

[harlows_monkeys]

OpenBSD is probably the most secure free OS, yet it has fewer people looking at it than Linux or FreeBSD. Fewer eyeballs are looking at OpenBSD, but they are very good eyeballs.

Another good example is Kerberos. It's been around a long time, looked at by researchers, students, open source developers, and closed source developers using it as a reference for implementing their versions. Yet, major flaws that weren't subtle have taken a long time to find.

Re:More Eyeballs

[Six+Nines]

A couple of nits to pick...

1) MSFT is about to celebrate its 30th anniversary (founded 1975, incorporated 1981).

2) Windows has been around for 20 years (Windows 1.0 was beta tested in 1983-1984, released 1985).

3) The Windows NT/2000/XP code base is almost 12 years old (NT 3.1 was released in 1993).

4) Persistently buggy apps are found among both open- and closed-source software. There's no monoply on spaghetti code.