Secure Coding mailing list archives
Economics of Software Vulnerabilities
From: dwheeler at ida.org (David A. Wheeler)
Date: Fri, 23 Mar 2007 14:24:21 -0400
On Wed, 21 Mar 2007, Steven M. Christey wrote: : > With rare exceptions, in general, I do not find that the : > open source community is that much more security consciousness : > than those producing closed source. Certainly this seems true : > if measured in terms of vulnerabilities and we measure "across : > the board" (e.g., take a random sampling from SourceForge) and : > not just our favorite security-related applications.
A random sampling from SourceForge will typically find the worst ones. Most OSS projects, like most proprietary projects, die due to lack of attention from _anyone_.
: Indeed, CVE and any other refined vulnerability information source is : chock full of open source products on SourceForge that have the most : obvious security holes possible, and let's not forget the open source : products that have gotten a bad reputation such as PHP-Nuke and : Sendmail.
A well-deserved bad reputation, I might add, though I've been told that the latest versions of Sendmail are better.
: Insecure programming is universal.
Absolutely. security curmudgeon <jericho at attrition.org> piped in:
Belated, but i'd like to mimick Mr. Christey's comments here. For almost two decades, we've all heard or believed in the idea that open source is better than closed, because "anyone can look at it". In theory, this is outstanding. In reality, this is a joke told at security conventions. Just because people can look at a project in detail, doesn't mean they will. More to the point, just because people can, doesn't mean code auditing gurus will look at it. ... the notion that open source will be viewed by thousands of eyes was a nice pipe dream and talking point years back, not reality.
Nonsense. Widespread review of _some_ OSS programs, by many eyes, _IS_ reality. Just look at the evidence. There are a number of OSS projects where it's quite clear just by looking at the SCM records that many people _do_ review the code, both manually and by automated means. The OpenBSD developers have been doing manual review for a long, long time, and their record of only 2 remote holes in 10 years is quite impressive. Debian has a similar audit project as well. (Both OpenBSD and Debian focus their efforts though... only SPECIFIC programs get reviewed, not stuff like chess games.) There's a $500 bounty for finding vulnerabilities in Mozilla, and it's clear that many people are reviewing Mozilla Firefox's code specifically for security issues. There are now several projects that download OSS programs, review them through automated tools, and send back their results to the developers (DHS and Fortify back two such projects). The claim that "no OSS program gets lots of review" is absolutely untrue. On the other hand, it's nonsense that just because something is OSS means that (1) it's automatically secure or (2) it'll always be reviewed. If _that_ is what you mean, then I completely agree with you. Sendmail has had a terrible record - but Exchange is no saint either. I'd rather put my money on Postfix, which was specifically DESIGNED to be secure, as well as having review, than either of them. I believe that you need to evaluate the security of OSS programs - or proprietary programs - on a case by case basis. On that, I hope, we agree. Any OSS program can in theory be reviewed, but only some get real review. There are a number of specific OSS programs that do markedly better than their proprietary competition in terms of security - unsurprisingly, those tend to be the ones that HAVE received lots of review. Conversely, there are many OSS programs (and proprietary programs) that are absolute junk. So look before you leap. --- David A. Wheeler
Current thread:
- Economics of Software Vulnerabilities, (continued)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 20)
- Economics of Software Vulnerabilities Wall, Kevin (Mar 20)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities security curmudgeon (Mar 23)
- Economics of Software Vulnerabilities Gunnar Peterson (Mar 23)
- Economics of Software Vulnerabilities Michael S Hines (Mar 20)
- Economics of Software Vulnerabilities ljknews (Mar 20)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 27)