Open Source Code Isn't a Warranty

An anonymous reader writes: Automotive software issues such as the Jeep hack and Volkswagen cheating on emissions tests have made headlines this year, which means the public is thinking about software in cars like never before. Some experts have argued that mandating that such software be open source is a solution to the problem. In an article on Opensource.com, Ben Cotton writes that although there are definite benefits to public scrutiny of the software, code visibility alone is no guarantee. It's an important thing to bear in mind, because "Open, therefore secure" is an easy straw man to knock down.

Guarantee

[KatchooNJ]

I think the better word choice is "guarantee" instead of "warranty" for the headline.

Re:Guarantee

[ShanghaiBill]

I think the better word choice is "guarantee" instead of "warranty" for the headline.

Also, "visible source" would be better than "open source". Unless they actually mean that anyone should be able to copy, modify, fork, and redistribute.

Re:guarantee

[bobbied]

And there is no such thing as security in closed source software.

I'm not so sure you can claim that. Where I will admit that closed source software has less people scrutinizing it and generally more eyes the better, I will not admit that makes it less secure. If security is important enough to the developer of a closed solution, important enough to actually cause the right things to happen during development and test to catch security issues before a solution is released, it can be as secure as any software out there. If you have the right people looking at it, looking for the right things, you can produce secure solutions that are closed source.

You see, open source just allows more folks to look at the details, it doesn't mean that the right kind of people actually do look at it. With closed source, you can get secure by demanding it from your development team and giving them the resources to accomplish it.

Re:Guarantee

[Capt.Albatross]

Do you trust yourself or your proprietary software vendor more? It can be a hard choice in some situations.

It's a Hobson's choice for me, as I don't have the time or resources to verify the software of my car, let alone those that I rent.

Re:Guarantee

[ShanghaiBill]

I don't have the time or resources to verify the software of my car

I don't have the time or resources to replace a bad head gasket in my car. But I am not going to buy a car with the hood welded shut.

Re:Guarantee

[Capt.Albatross]

I don't have the time or resources to verify the software of my car

I don't have the time or resources to replace a bad head gasket in my car. But I am not going to buy a car with the hood welded shut.

Many of the things you use are welded shut - integrated circuits, for example.

Re:"Open == Secure"?

[SecurityGuy]

They're both wrong.

Open == You can audit it if you want. It's absolutely no guarantee that anyone ever has.

However..

The more insight into code, the less likely companies will do what VW did because its open to public scrutiny. I think we should be focusing on the "Open, therefore open to scrutiny" than the misconception of "Open, therefore secure".

"Open, therefore secure"

[gQuigs]

or maybe...

Open, therefore not illegal to review?

Duh...

[gweihir]

Another stupid comment by people that do not understand the difference between a "necessary condition" and a "sufficient condition".

Open-sourcing the software/firmware in question is a necessary thing. That means it must be done. It is not a sufficient condition. That means it is not enough. It still must be done, but other things must be done in addition to get the desired outcome.

It is almost as if people do not understand basic logic anymore. No surprise so many things in the IT space get screwed up badly these days.