Secure Coding mailing list archives
Open source fertile ground for foul play?
From: "Kenneth R. van Wyk" <Ken () KRvW com>
Date: Thu, 12 Feb 2004 23:45:56 +0000
There is an interesting article over on DevX.com (see the full article at http://www.devx.com/opensource/Article/20111). In the article, DevX Executive Editor, A. Russell Jones says that, "Eventually--âand inevitably--âan open source product will be found to contain a security breach--ânot one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the open source software from inside, by someone working on the project." He says that this is true because open source "lets anyone modify source code and sell or distribute the results". Now, I sure don't doubt that it's possible to deliberately insert a vulnerability into a software product, but I fail to agree with Mr. Jones that open source is more vulnerable to this _because_ it is open. IMHO, if a particular open source product is vulnerable to an insider attack, it is because of the processes in place for protecting the code from attack. I would think that a closed source product could also be susceptible to that if the code tree is not adequately protected. Further, I don't see any reason why an open source project couldn't follow good sound practices in protecting its src tree from attack. Admittedly, Jones does say that a closed src product could also be subverted like this, but that it is less likely, "because the source is better protected". In any case, that's just my opinion on the matter, fwiw. (Oh, and I should probably also point out that I'm referring to processes in my comments, not to any particular products.) Cheers, Ken -- KRvW Associates, LLC http://www.KRvW.com
Current thread:
- Open source fertile ground for foul play? Kenneth R. van Wyk (Feb 12)
- Re: Open source fertile ground for foul play? Crispin Cowan (Feb 15)
- Re: Open source fertile ground for foul play? Kenneth R. van Wyk (Feb 15)
- <Possible follow-ups>
- Re: Open source fertile ground for foul play? Jean-Francois Poirier (Feb 13)
- Re: Open source fertile ground for foul play? Crispin Cowan (Feb 15)