Full Disclosure mailing list archives
[Full-Disclosure] Why don't more of us check the source code ? was Re: Netscape Problems.
From: Simon Waters <Simon () wretched demon co uk>
Date: Thu, 28 Nov 2002 00:06:59 +0000
Can we not move the debate forward from "Open Source" is better or worse in terms of security issues. Many factors influence how many flaws software has; developer know-how, developer commitment, development methodology, design quality, language choice and quality assurance procedures. Many of these factors are not dependent on whether the source is available or not. Spafford has even declared for agnosticism on this point. The suggestion that "no one is looking at open source code" is clearly not supportable, I have received bug fixes from well known names in secure coding, fixing flaws in open source code, ergo at least one person is looking. It seems that no one has run even basic automated source code tools over large sections of the available free and open source software, and reported or patched the code. I think a key point here is that these security fixes only exist because the code was open source, and thus the auditor could independently identify and report such flaws from automated source code analysis. A closed source product could do the same if they chose to use that tool in-house, but the potential exists for open source, and especially free software to do better than it has done, and possibly better than closed source packages where only a limited number of tests are likely to be performed. It also shows the pointlessness of counting fixes, the more inspections the more fixes, of course ideally they would all be done before formal release, but in the real world some bugs get through, the best we can hope for is better coding and techniques that minimise the scope of bugs to irritating failures rather than security issues. However I'd accept that not enough people are looking for security flaws in open source products (or at least looking and reporting ;-). One of the advantages of open source should be the ability to do more extensive checking before you use code, so I suggest we all go from "./configure ; make ; make install" to "CCFLAGS= ---more paranoid checking ---- ; ./configure ; make ; rats --blah-- ; lclint --blah2-- ; ... other checks .. ; make install" I can't believe it is beyond the wit of man to automate this basic checking, and thus fairly quickly process large numbers of GNU style packages. Perhaps even the default template Makefiles in automake/autoconf could be altered to use such tools - the easier you make something the more it will happen! Also the focus has historically been on programs that use setuid or elevated privileges or provide network services, however this is clearly insufficient, all software that handles untrusted input (which is most of it I'd suggest) needs to be secure. I think arguing over who is better or worse in the status quo is missing the fact that much of the better software is still not achieving basic levels of security (and I'm as guilty as the next coder, both in my proprietary and free software) necessary. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] Why don't more of us check the source code ? was Re: Netscape Problems. Simon Waters (Nov 27)