Economics of Software Vulnerabilities

[jericho at attrition.org (security curmudgeon)]

On Wed, 21 Mar 2007, Steven M. Christey wrote:

: > With rare exceptions, in general, I do not find that the
: > open source community is that much more security consciousness
: > than those producing closed source. Certainly this seems true
: > if measured in terms of vulnerabilities and we measure "across
: > the board" (e.g., take a random sampling from SourceForge) and
: > not just our favorite security-related applications.
: 
: Indeed, CVE and any other refined vulnerability information source is 
: chock full of open source products on SourceForge that have the most 
: obvious security holes possible, and let's not forget the open source 
: products that have gotten a bad reputation such as PHP-Nuke and 
: Sendmail. Insecure programming is universal.

Belated, but i'd like to mimick Mr. Christey's comments here. For almost 
two decades, we've all heard or believed in the idea that open source is 
better than closed, because "anyone can look at it". In theory, this is 
outstanding. In reality, this is a joke told at security conventions.

Just because people can look at a project in detail, doesn't mean they 
will. More to the point, just because people can, doesn't mean code 
auditing gurus will look at it.

If you consider projects like the Linux kernel, there are definitely a 
*lot* of coding ninjas involved. Despite that, we see a never ending 
stream of vulnerabilities (most local DoS attacks) being published. Does 
this mean the Linux Kernel developers are 
irresponsible/incompetant/lazy/whatever? Absolutely not. It only means 
that the notion that open source will be viewed by thousands of eyes was a 
nice pipe dream and talking point years back, not reality.