Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Security: Still A Myth

Posted by CmdrTaco on from the something-to-think-about dept.

jpkunst writes "John Viega (coauthor of a.o. Building Secure Software) argues in Open Source Securitey: Still A Myth at O'Reilly's onlamp.com that "open source software may currently be less secure than its commercial counterparts.". According to him, there may be "more eyeballs" looking at open source software, but he does not believe those eyeballs are looking for security problems in a structured way."

19 of 502 comments (clear)

  1. Still... by bustersnyvel · · Score: 5, Insightful

    ... once something is actually found, it's fixed a lot faster than in most commercial software.

    1. Re:Still... by echeslack · · Score: 5, Insightful

      I think it may also have to do with the variety of testing. I admit that you are probably right, a lot of OSS vendors don't do extensive testing, but for a lot of them they don't have to. If the vulnerability only affects one product on one hardware platform, you have to test various configurations, but you have at least 1 order of magnitude less testing to do than, say, Microsoft might have for a fix that crosses multiple versions of windows, and may affect PCs, PDAs, etc.

      Also, if bugs are found by those in the community, the fix may have time to be tested before it is widely publicized. It seems (just from observing announcements, nothing scientific) that a lot of Microsoft vulnerabilities are discovered by third parties that cannot go and fix them while in OSS they tend to be discovered by people in the security sector, but often they may provide a fix at the time of announcement or not announce until a fix is in cvs.

      --
      GMail invites for completed freeipods.com of
    2. Re:Still... by erktrek · · Score: 5, Insightful

      What about the "just get it done we have a deadline to meet and screw everything else" mentality of commercial vendors?

      One of the big shockers out of college and into the big bad business world was the idea of "good enough" versus "doing it right".

      E.

    3. Re:Still... by LnxAddct · · Score: 5, Insightful

      *cough* Service Pack 2 *cough*
      *cough* Disable javascript which is essential to many business's core web applications*cough*
      *cough*Break standard compliant web sites and standards because we can*cough*
      *cough* I could go all day coughing under my breath about things MS breaks and on purpose*cough*

      Real operating systems aren't so independent on every other piece that by changing one component, you may break many unrelated components. I don't know about other Open Source vendors, but Red Hat does extremely intensive testing, I would assume Novell does too. The nice thing is, it usually goes significantly quicker because if they update a web browser, they don't need to make sure it doens't break the Office Suite, Mail Client and File Browser.
      Regards,
      Steve

    4. Re:Still... by Silver+Sloth · · Score: 5, Insightful

      In my experience most good coders are very proud of their work. Whilst the commercial coders may have to let work that they know is shoddy and full of holes go because they have to meet a dead line OSS coders are looking for peer approval and you don't get that with buggy code. Imagine the shortcuts that are being taken by M$ as the pressure to get Longhorn out in time rises

      --
      init 11 - for when you need that edge.
    5. Re:Still... by Anonymous Coward · · Score: 5, Insightful


      One of the big shockers out of college and into the big bad business world was the idea of "good enough" versus "doing it right".
      If you think this mindset does not exist in OSS than you are naive. Do you honestly think that OSS software is released without the developers knowing that it contains bugs? OSS developers don't write flawless code. Therefore any OSS code released to the public has been deemed to have reached a point of "Good Enough".

    6. Re:Still... by Jakhel · · Score: 5, Interesting

      You know it's funny that you say that. I was in a software project management class my senior year in college. We were required to create a piece of software that did specific functions and turn it in at the end of the semester. Becuase this was a group project, all groups ended up missing some deadlines here or there, which inevitably cost them man hours in the long run (we were required to keep track fo cost). After about the 3rd missed deadline by groups (due to bug workouts, people not doing their part, etc.), my professory, a former IBM employee, told us a story.

      He said one year, he was heading up a project that involved writing software for IBM machines. They were nearing the release date and still had dozens (if not more) of bugs to work out. He went to his boss, a B-school guy, and said "look, I know we're close to the deadline, but there are still many bugs that we really need to work out before this thing ships. We don't want to release a product that costs this much and still has some things wrong with him".

      Now keep in mind that there were hundreds, if not thousands of companies ready to buy the machines as soon as it was released. They had orders from companies around the world. Because they were competing with other companies selling similar products, the need to meet the deadline was even more important.

      Back to the story, his boss looked at him and said "so you mean to tell me that you think we should delay the release of a product that has the potential, and is almost guaranteed, to earn us hundreds of millions of dollars for a few bugs? I don't think so. We'll release the product and support it later on. Tech support will cost us less in the long run than delays at this point".

      So they released the product, sent developer level techs around the world after companies began to complain about the bugs, and that was that.

      Moral of the story? Sometimes, from a busines stand point, you should release the product and support its bugs later on. But that usually depends on the amount of competition in the market and money that is riding on the product. Yeah it sucks from a developers stand point, but developers dont make business decisions in the real world.

      See Examples. HL2, DNF, etc.

  2. Securitey by whitelabrat · · Score: 5, Funny

    Looks like geeks with spelling skills are still a Myth too?

  3. OSS users/coders still close them up faster... by garcia · · Score: 5, Insightful

    Others will say, "Open source developers are more clued in to security issues due to a better sense of community, and their software is more secure as a result."

    He's right. They may not be looking for security holes and they may not find them because of all the "eyeballs" but they will certainly fix them and release a patch to the community shortly after it is discovered.

    Now, even if MSFT did release a patch right away it wouldn't make much of a difference as most people don't update their software. The OSS community, OTOH, is still mostly comprised of people that have a Clue and those people generally patch immediately.

    So while what the article states is true currently the OSS community does respond faster and with less problems than their counterparts on the other side of the fence.

  4. Go team go! by Maagma · · Score: 5, Funny

    Securitey, it's like 'Security' but with an extra 'e' for effort!

  5. Re:More Eyeballs by DogDude · · Score: 5, Insightful

    What about more eyeballs meaning a faster fix?

    But again, the problem is the problems are not being found in the first place. Look for example, at Sendmail. It's 25 years old, but is *still* a buggy, buggy app. It STILL isn't secure and bug-free. The inevitable comparison with MS willl come up, so let's look at that. First off, MS hasn't even been *around* for 25 years. As far as specific products go... with all of its patches, W2K is generally considered quite stable, and relatively secure (again, with all of its patches in place). W2K is about 5 years old at this point.

    So, I think that this article has some merit.

    --
    I don't respond to AC's.
  6. You better read it... by danielrm26 · · Score: 5, Interesting

    At the end of the article (I read it for some reason) the author seems to somewhat agree that open-source code is at least equal with - if not superior to - proprietary code. This seems to fly in the face of his initial statements.

    This is a common writing technique -- get a reaction based on title and initial statements, and then bring the real argument later on. Just don't walk away thinking this guy is saying open-source code has worse security overall based on the title; that's not what he said.

    --
    dmiessler.com -- grep understanding knowledge
  7. Re:I have one word for you by Sexy+Commando · · Score: 5, Insightful
    You have just made an example that software which eyeballs proactively looking for security holes is more secure. That is why OpenBSD stands out as one of the most secure OS.

    Busy eyeballs are better than idling eyeballs.

  8. I would have to say by GillBates0 · · Score: 5, Interesting
    I believe that in the long run, open source software does have the potential to be more secure than closed systems, since open source projects can do everything commercial projects can. When high-quality analysis tools become more common, hopefully the "many eyeballs" phenomenon will work. Still, when it comes to security, money looks like it will be a big catalyst for positive change--and the open source community is largely insulated from it.

    the article is a balanced and well-written one. From the title and summary, I concluded that this was possibly one of those "Rob Enderle" type Microsoft FUD, but surprisingly the author seems to know what he's talking about and comes up with a pretty balanced argument - the above excerpt is one of the examples.

    I agree with some of the conclusions/suggestions like a more structured approach and software engineering techniques, but the fact remains that most software hobbyists (the principal contributors to open source software) *firmly* dislike process and red-tape. And they're right, since they're pursuing a hobby, they should be able to do what they like as they see fit.

    But then, he's obviously more qualified than the other Microsoft apologists which've written "knowledgeable" articles about open source insecurity.

    John Viega is Chief Scientist of Secure Software, and the coauthor of "Building Secure Software" (Addison-Wesley) and "Network Security with OpenSSL" (O'Reilly).

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  9. And closed-source? by Anonymous Coward · · Score: 5, Interesting

    Sure most people aren't looking at security in open source in a structued way, but some people are. Plus, open source can still be better if nobody is looking at closed source security at all. I know where I work, security defects become fodder for amusement at meetings, rather than seious issues to fix.

    No I won't say where I work, but it's not MS.

  10. One thing he (and Microsoft) is missing by dpilot · · Score: 5, Insightful

    There's something FAR more important about security than the code, the number of eyeballs looking at it, or even the skill of those eyeballs.

    Trust. More specifically doing away with Trust.

    I had a minor epiphany yesterday, read about Microsoft's DRM efforts, and realizing what may be fundamentally wrong with their security. IMHO, Microsoft believes that bad security is due to bugs, and that if they can squash their bugs, they will be able to have secure code, AND be able to TRUST the computer that their code is operating on. I'll even let them consider an insecure algorithm a bug, for the sake of this discussion. I think they really believe they can eventually ship sufficiently bug-free code to be considered Trustworthy in execution.

    Contrast that with the attitude toward security that has grown in the Open Source arena. No matter how good you get, bugs will *always* be found. No matter how secure you think your system is, *someone* can always get in. Finally, you have to consider *all* avenues of attack, not just the technical/cracking ones.

    Some descendents of these attitudes:
    Without physical control, the rest of the security is worthless.
    Human engineering is probably the biggest security hole.
    Consider security as a value proposition, in two ways:
    1: Can I make it sufficiently expensive that they'll attack someone else, instead of me?
    2: How much do I want to spend on security, and how do I balance that with a recovery plan?
    Security isn't a "nail it down, once" thing, it's a process, and includes evolution.
    Bugs will happen, so put security in layers, to try and eliminate single-point-of-failure issues.

    It's not so much the code, or the eyeball count, or the specific eyeballs. It's the attitude.

    --
    The living have better things to do than to continue hating the dead.
  11. Re:More Eyeballs by gowen · · Score: 5, Insightful

    Actually, the comparison between Sendmail and Windows 95/98/ME is a good one. They're both from a more innocent time, when code could pretty much trust everything it was being fed. As such, there was little or no security designed into them, and it has had to be bolted on from the outside, in.

    And look at the success they've achieved with that style. If we learn anything from Sendmail, its that security must be designed in, rather than an afterthought.

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  12. John Viega and Mailman by waldoj · · Score: 5, Informative
    For those who are or would assail John Viega's credibility, I should remind you who he is.

    Most notable for the purpose of this discussion, Viega is the creator of Mailman, the fantastically-popular GPLd mailing list management software. All was good and well with his view of the many-eyeballs theory until, one day, he found a huge, glaring, holy-shit hole in Mailman a few years ago. He was so alarmed that nobody had ever spotted this that, after fixing it, he reflected on what he'd learned and turned it into a thoughtful article, The Myth of Open Source Security. As he wrote:
    "For three years, until March 2000, Mailman had a handful of glaring security problems in code that I wrote before I knew much about security. An attacker could use these security holes to gain access to the operating system on Linux computers running the program.

    "These were not obscure bugs: anyone armed with the Unix command grep and an iota of security knowledge could have found them in seconds. Even though Mailman was downloaded and installed thousands of times during that time period, no one reported a thing. I finally realized there were problems as I started to learn more about security. Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had."
    Again, Mailman was and is an extremely popular program -- this was not a problem of obscurity.

    So, the OnLamp.com article under discussion here is a follow-up to his original article, as he points out in the opening to the new article (but people apparently aren't reading.) As you can imagine, Viega is no rabid anti-OSS guy -- he's, in fact, the very model of what we want our developers to be. He writes good software, admits it when he writes bad software, and tells it like it is, even when we don't want to hear it.

    (Disclaimers, such as they are: Viega is an adjunct professor at Virginia Tech, where I attend school, and I was the earliest alpha-tester of Mailman, in the late 90s.)

    -Waldo Jaquith
  13. Even Worse by Salamander · · Score: 5, Insightful

    I was struck by something while reading this passage:

    Most people who look at the source code for open source software don't explicitly look for security bugs. Instead they likely have in mind a particular piece of functionality that they want to augment

    Not only is that sort of developer not looking for security bugs, but they're pretty likely to be just getting their feet wet working on that project and might well introduce a bug. Then, there's a significant possibility that nobody else cares about the feature that one developer added to scratch their own itch, so nobody's going to look at the code that implements it. Yes, there are more eyeballs, but those eyeballs are not evenly distributed. There are certain pieces of code that everybody is looking at, and there are vast tracts of code that practically nobody is looking at - none with an eye toward security. How many Linux drivers have you looked at? I'll bet the majority of the people reading this haven't really looked at any Linux kernel/driver code whatsoever. Have you looked at the code for Apache? Perl/Python/Ruby? MySQL? Gcc? Open-source users outnumber programmers a hundred to one, and each developer has a fairly narrow area that they're either interested in looking at or qualified to look at, so the number of eyeballs on some piece of code implementing an unpopular feature in a popular package is nowhere near what some people seem to think. It might be dozens, it might be one, and quite often it will be zero once the guy who wrote it moved on to something else. That's no better than the almost-always-one you'll get with commercial software, and sometimes it's worse.

    --
    Slashdot - News for Herds. Stuff that Splatters.