Slashdot Mirror
Open Source For Perimeter Security
An anonymous reader writes "IT Observer has a look at some of the perceived problems with an OpenSource approach to security and what could be done to improve the situation. From the article: 'There is a widespread and wholly inaccurate impression that open source development is somehow haphazard and undisciplined, a free-for-all among brilliant but uncoordinated individuals. In fact, most major open source projects are very tightly managed highly disciplined teams. This article gives examples of very successful Open Source security projects -- netfilter and Snort -- and also describes some weaknesses that need to be addressed by IT organizations or vendors.'"
I'm sorry, but I find the constant argument that open source is less secure because everyone can see the source to be a silly waste of effort, usually promoted by the commercial security software vendors.
They ignore that the driving principle in open source development is quality software, so everyone who works with it is always looking to find the flaws and remove them.
Neither is inherently more secure, open source has the benefit of more people actively working to improve the code base than any commercial software company can afford to pay. That includes Microsoft. Yes, Microsoft cannot afford to pay the same number of programmers as are actively donating code improvements to open source software solutions.
Those of us that use open source software are more likely to learn the code to improve software we like than those using proprietary products are likely to do anything to help improve the software, including submitting the automatic crash reports that most software has implemented.
[ I personally don't use that even with open source software, running gdb against the core, then seeing what caused the crash and submitting a patch is more usefull. ]
J. Henager: If the average user can put a CD in and boot the system and follow the prompts, he can install and use Linux
"The project was founded in 1999 in Australia and has now grown to more than 100,000 lines of code contributed by over 700 developers."
And therein lies a large chunk of "the problem" for OSS projects if you ask me. It's much easier to manage 20 developers who each have to write 5,000 lines of code than to manage 700 developers who each write (I'm sure it doesn't work out like this) 143 lines of code. I'd love to have 700 people reviewing the code written by the 20, but 700 cooks in the kitchen it's extremely difficult to adhere to conventions for APIs, standard error handling, etc...
The solution for closed source projects to come inline with the perceived vastly superior security of OSS projects is to overload their projects with white-box testing harnesses and QA testers who know how to do white-box testing. Unfortunately that's extremely expensive so it gets pushed in favor of more black-box testing. I do believe OSS projects have a better security track record, but I don't believe it's nearly as large as the Slashdot illuminati make it out to be.
Boy that's the truth brother! IPTABLE syntax is for those who like to write rule sets in C. pf is definitely the example of how a command line firewall syntax should be done. Easier to read is equal to less chance for mistakes.