Open source fertile ground for foul play?

["Kenneth R. van Wyk" <Ken () KRvW com>]

There is an interesting article over on DevX.com (see the full article at 
http://www.devx.com/opensource/Article/20111).  In the article, DevX 
Executive Editor, A. Russell Jones says that, "Eventually--—and inevitably--—an 
open source product will be found to contain a security breach--—not one 
discovered by hackers, security personnel, or a CS student or professor. 
Instead, the security breach will be placed into the open source software 
from inside, by someone working on the project."  He says that this is true 
because open source "lets anyone modify source code and sell or distribute 
the results".

Now, I sure don't doubt that it's possible to deliberately insert a 
vulnerability into a software product, but I fail to agree with Mr. Jones 
that open source is more vulnerable to this _because_ it is open.  IMHO, if a 
particular open source product is vulnerable to an insider attack, it is 
because of the processes in place for protecting the code from attack.  I 
would think that a closed source product could also be susceptible to that if 
the code tree is not adequately protected.  Further, I don't see any reason 
why an open source project couldn't follow good sound practices in protecting 
its src tree from attack.  Admittedly, Jones does say that a closed src product
could also be subverted like this, but that it is less likely, "because the source 
is better protected".

In any case, that's just my opinion on the matter, fwiw.  (Oh, and I should
probably also point out that I'm referring to processes in my comments,
not to any particular products.)

Cheers,

Ken
-- 
KRvW Associates, LLC
http://www.KRvW.com