Economics of Software Vulnerabilities

[James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))]

Kevin, I would love to see open source communities embrace secure coding practices with stronger assistance from 
software vendors in this space. This of course requires going beyond "audit" capability and figuring out ways to get 
the tools into developers hands.

As a contributor to open source projects, I struggle with introducing security as I already contribute my time with the 
support/blessing of my significant other but she wouldn't let me spend hard cash on tools for contributing to open 
source. I wish there was a better answer for us all in this seat.

Generally speaking, many of my peers outside of work contribute to open source with the rationale that it a safer place 
from a political perspective to try things out, kinda like a POC where the outcome doesn't have to be successful and it 
won't show up on your annual review. Lately, I haven't figured out how to reduce my own exposure...

-----Original Message-----
From: Wall, Kevin [mailto:Kevin.Wall at qwest.com]
Sent: Tuesday, March 20, 2007 9:16 PM
To: McGovern, James F (HTSC, IT)
Cc: sc-l at securecoding.org
Subject: RE: [SC-L] Economics of Software Vulnerabilities


James McGovern apparently wrote...

> The uprising from customers may already be starting. It is 
> called open source. The real question is what is the duty of 
> others on this forum to make sure that newly created software 
> doesn't suffer from the same problems as the commercial 
> closed source stuff...

While I agree that the FOSS movement is an uprising, it:
        1) it's being pushed by "customers" so much as IT developers
        2) the "uprising" isn't so much as being an outcry against
           security as it is against not being able to have the
           desired features implemented in a manner desired.

At least that's how I see it.

With rare exceptions, in general, I do not find that the
open source community is that much more security consciousness
than those producing closed source. Certainly this seems true
if measured in terms of vulnerabilities and we measure "across
the board" (e.g., take a random sampling from SourceForge) and
not just our favorite security-related applications.

Where I _do_ see a remarkable difference is that the open source
community seems to be in general much faster in getting security
patches out once they are informed of a vulnerability. I suspect
that this has to do as much with the lack of bureaucracy in open
source projects as it does the fear of loss of reputation to their
open source colleagues.

However, this is just my gut feeling, so your gut feeling my differ.
(But my 'gut' is probably bigger than yours, so feeling prevails. ;-)
Does anyone have any hard evidence to back up this intuition. I
thought that Ross Anderson had done some research along those lines.

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall at qwest.com Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************