Secure Coding mailing list archives
Economics of Software Vulnerabilities
From: jericho at attrition.org (security curmudgeon)
Date: Fri, 23 Mar 2007 07:04:26 +0000 (UTC)
On Wed, 21 Mar 2007, Steven M. Christey wrote: : > With rare exceptions, in general, I do not find that the : > open source community is that much more security consciousness : > than those producing closed source. Certainly this seems true : > if measured in terms of vulnerabilities and we measure "across : > the board" (e.g., take a random sampling from SourceForge) and : > not just our favorite security-related applications. : : Indeed, CVE and any other refined vulnerability information source is : chock full of open source products on SourceForge that have the most : obvious security holes possible, and let's not forget the open source : products that have gotten a bad reputation such as PHP-Nuke and : Sendmail. Insecure programming is universal. Belated, but i'd like to mimick Mr. Christey's comments here. For almost two decades, we've all heard or believed in the idea that open source is better than closed, because "anyone can look at it". In theory, this is outstanding. In reality, this is a joke told at security conventions. Just because people can look at a project in detail, doesn't mean they will. More to the point, just because people can, doesn't mean code auditing gurus will look at it. If you consider projects like the Linux kernel, there are definitely a *lot* of coding ninjas involved. Despite that, we see a never ending stream of vulnerabilities (most local DoS attacks) being published. Does this mean the Linux Kernel developers are irresponsible/incompetant/lazy/whatever? Absolutely not. It only means that the notion that open source will be viewed by thousands of eyes was a nice pipe dream and talking point years back, not reality.
Current thread:
- Economics of Software Vulnerabilities, (continued)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 19)
- Economics of Software Vulnerabilities Ed Reed (Mar 20)
- Economics of Software Vulnerabilities Arian J. Evans (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities mudge (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 20)
- Economics of Software Vulnerabilities Wall, Kevin (Mar 20)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities security curmudgeon (Mar 23)
- Economics of Software Vulnerabilities Gunnar Peterson (Mar 23)
- Economics of Software Vulnerabilities Michael S Hines (Mar 20)
- Economics of Software Vulnerabilities ljknews (Mar 20)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 27)