Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Code Auditing of Open Source Apps Necessary?

Posted by CmdrTaco on from the but-I-thought-there-were-no-bugs dept.

An anonymous reader writes "Following Sun Microsystems' decision to release a raft of open source applications to support its secure cloud computing strategy, companies may be wondering if they should conduct security tests of their customized open source software before deployment. While the use of encryption and VPNs to extend a secure bridge between a company IT resource and a private cloud facility is very positive — especially now that Amazon is beta testing its pay-as-you-go private cloud facility — it's important that the underlying application code is also secure. What do you think?"

18 of 108 comments (clear)

  1. Yes. by wed128 · · Score: 5, Insightful

    Next Question.

    1. Re:Yes. by causality · · Score: 3, Insightful

      Next Question.

      No shit. I don't understand how this got to be a story. What's next, "Should Engineers Who Design Bridges Demonstrate Competency Before Thousands of Automobiles Drive on Those Bridges?"

      --
      It is a miracle that curiosity survives formal education. - Einstein
    2. Re:Yes. by Thanshin · · Score: 5, Funny

      No shit. I don't understand how this got to be a story. What's next, "Should Engineers Who Design Bridges Demonstrate Competency Before Thousands of Automobiles Drive on Those Bridges?"

      No.

      They should pass an accelerated three month course on how to mix cement, then spend six months mixing cement for 300$/month and then change jobs saying in their CV that they have five years of experience in construction. Only then they're ready to apply their experience to design a bridge.

      When the first car goes over it and falls to its demise, they're just have to patch the bridge.

      After a couple of years and innumerable patches, the bridge, now essentially a pile of cement over a chasm, will finally stop dropping more than a couple cars per day to the void. At that point, the engineers are ready to find a management position.

    3. Re:Yes. by dkleinsc · · Score: 3, Interesting

      I'm reminded of the method of quality assurance used by the Romans: After putting in the capstone of an arch, the engineer responsible for creating that arch was required to stand under it while the wooden scaffolding was removed.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    4. Re:Yes. by tool462 · · Score: 2, Insightful

      Interesting. I can think of another field where this could be useful:

      Require all fund managers to have a significant portion of their net worth in the funds they manage. If the fund collapses, they go down with the ship.

  2. OpenBSD by Anonymous Coward · · Score: 2, Informative

    OpenBSD does code audits. All security-sensitive applications should be, if not by the developers, by the people deploying them, if they have the resources.

  3. Flip the question. by tacarat · · Score: 2, Interesting

    How are they auditing the code of the closed source apps they're using? If there are steps in place, use those as a minimum. If there aren't, then how's the blind faith of using those programs different than what's needed for open source?

    --
    "Common sense will be the death of us all"
    1. Re:Flip the question. by BronsCon · · Score: 4, Insightful

      It's different because users of paid merchandise or services can seek legal remediation if something goes terribly wrong. Unless, of course, the license agreement specifically states that there is no guarantee of the program's fitness for any specific purpose.

      There, fixed that for ya.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    2. Re:Flip the question. by minsk · · Score: 2, Insightful

      The payment creates an[] obligation.

      An obligation to include vicious anti-liability clauses and avoid any admission of wrong-doing?

    3. Re:Flip the question. by schon · · Score: 2, Funny

      Has anybody sued MS and won because there was a bug in their product?

      Of course not. Everyone knows that MS products don't have bugs.

    4. Re:Flip the question. by Kjella · · Score: 2, Informative

      IANAL, but that clause would be trivial to toss out

      Lawyer: "I'm not a software developer, but it's trivial to use that java library in a C# application"

      That's about how many orders of wrong you are here. I also play my share of lawyer on slashdot, but I know how to read cornell.edu - and it's amazing how much better the discussion would be if most people had - but I also know when to STFU and not make a fool out of myself. Like in this case UCC 2-316. Exclusion or Modification of Warranties. which quite clearly states that you can exclude any implied warranty of fitness or merchantability. You may get around that if you prove the disclaimers are unconscionable, but that's a tall order and not in any case trivial. Maybe for things that are more malice or fraud than incompetence, or in case of personal injury which is why software often explicitly exclude any such use.

      --
      Live today, because you never know what tomorrow brings
  4. It's not even really a question by BadAnalogyGuy · · Score: 3, Insightful

    The answer is Yes. When you run software, you are running it under 1 of the following 3 assumptions:

    1. You implicitly trust the vendor
    2. You have tested it yourself and trust your tests
    3. You are oblivious (the vast majority of users are)

    What's more, since Open Source software lacks any single person you could possibly sue in case things go terribly wrong, it makes sense to mistrust it a priori. OSS isn't magically secure because it is open. It still needs testing and validation if you intend to run it in any serious corporate environment.

    To simply accept a software package without assuming it is riddled with bugs and security vulnerabilities is foolish. No matter if it is a proprietary software package or an Open Source community project, any sane CIO will want some sort of evidence that the product will not end up losing them money and customer trust due to security vunerabilities.

    1. Re:It's not even really a question by jimbobborg · · Score: 5, Insightful

      What's more, since Open Source software lacks any single person you could possibly sue in case things go terribly wrong, it makes sense to mistrust it a priori. OSS isn't magically secure because it is open. It still needs testing and validation if you intend to run it in any serious corporate environment.

      I still hear this every once in a while. So my question is, has anyone ever sued Microsoft for loss of data/trust? Have you not read the EULA?

  5. No, don't flip the question. Answer it. by elnyka · · Score: 4, Insightful

    How are they auditing the code of the closed source apps they're using? If there are steps in place, use those as a minimum. If there aren't, then how's the blind faith of using those programs different than what's needed for open source?

    Flipping the question does not answer the original one, which is a valid one and which deserves an answer. The answer is, just like anything, it depends. It depends on the open source artifacts in question; it depends on the specific audit/security requirements; it depends on how critical the app under development is; it depends on SLA agreements (if one exists and requires it.)

    As you said, if there are steps in place, use those as a minimum, provided that they are sufficient for the requirements at hand.

    If there aren't any, you can't just cross your arms and say "well, if I didn't do them with COTS, why would I with FOSS"? If there aren't, and your project requires them, then shit, you implement them.

    The question of whether to sec audit something, be it COTS or FOSS is predicated by the requirements at hand, not on whether a previous usage of COTS (or FOSS) was properly audited in the past.

  6. Re:Monty Python Engineering by Savage-Rabbit · · Score: 3, Funny

    King of Swamp Castle: When I first came here, this was all swamp. Everyone
    said I was daft to build a castle on a swamp, but I built in all the same,
    just to show them. It sank into the swamp. So I built a second one. And that
    one sank into the swamp. So I built a third. That burned down, fell over,
    and then sank into the swamp. But the fourth one stayed up. And that's what
    you're going to get, Son, the strongest castle in all of England.

    That sounds a lot like the development history of Windows.

    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
  7. Audit the FOSS projecta, not the code by cenc · · Score: 2, Interesting

    Open source code development by definition is a sort of "self-auditing" process. That is all good. The bigger problem that is unaddressed in the the FOSS community at large that I see is when the projects that run them fall apart. For example, in this case is the Sun going to set on Sun is still not known. What about Mysql?

    More commonly it is the problem of rag tag bands of volunteers (that are increasingly novice these days), where a couple major players move the project along and if something happens to them the project goes off the rails. The rather high profile example of this was CentOS fiasco earlier this year.

    I know everyone is going to come back and say things like, "if you don't like it, fork it". That is a nice sentiment, but much harder to do in practice. Often it is like saying if you don't like the service you get at Wall Mart start your own department store chain, bank, pharmacy, or whatever. Not something even most larger companies can do, let alone end private users.

    We need a system for auditing and reviewing open source projects for their viability and overall health so users (individuals, companies, and other projects that depend on them) can make real decisions about using what they produce. Right now it is more of an art than a science to determine if a project is going to live. I am not saying limit open source creativity or stop small projects, but provide transparency as to the health of the projects. We can see the structure of the code, we should be able to see the structure of community that builds and maintains it.

    --
    Living in Chile
  8. Re:I thought auditing was the whole point by Anonymous Coward · · Score: 4, Insightful

    The funny thing is, how many people are actually eyeballing the code? Are you, or do you just assume thousands of other people are?

  9. Re:Monty Python Engineering by Intron · · Score: 4, Funny

    Except for the part about the 4th one staying up.

    --
    Intron: the portion of DNA which expresses nothing useful.