There’s a good article on LinuxWorld about the security debate between open-source and Windows. My first question is, does it need to be a debate? In this day and age, isn’t it easy enough to quantify vulnerabilities?
If you are looking for subjective opinion, I recommend looking through the interviews we’ve done here. At the risk of sounding like a Microsoft fan-boy, the Microsoft interviews (in my opinion) demonstrate a company where secure coding is “in the water”. Code goes through threat modeling, risky function calls have simply been banned, code goes through automated and human inspection, and vulnerabilities that do slip through feedback into the process to determine how to prevent them in the future.
I simply don’t get the same feeling from the open-source people we’ve talked to. When we’ve brought the subject up, the response is almost universally “many eyeballs,” and faith (without data) that “many eyeballs” is effective.
Am I completely off base? Do things like the Linux kernel and Apache go through rigorous security reviews? Is there proof that “many eyeballs” in open source is at least as good as something like the Security Development Lifecycle in Microsoft? If you’re in a position to know, let’s chat!
October 12th, 2007 at 2:38 pm
“In this day and age, isn’t it easy enough to quantify vulnerabilities?”
Nope. It’s easy enough to quantify KNOWN vulnerabilities.
“the response is almost universally “many eyeballs,” and faith (without data) that “many eyeballs” is effective.”
Many eyeballs is useful. Running your code through an analyzer like those from Coverity or Fortify is more useful. For example, look at Coverity’s analysis of Samba (http://scan.coverity.com/rung1.html). 228 defects found by Coverity have been fixed by the Samba team. Samba is certainly a project that has lots of eyeballs on it. I’m sure that some number of those fixes weren’t security related, but I’m equally sure that some were.
October 12th, 2007 at 4:10 pm
I think Swashbuckler makes a good point. Quantifying vulnerabilities is hard since you can only quantify what you know. Scott, the fact that Microsoft is pushing for fixes to CODING ISSUES rather than simply addressing known vulnerabilities is most definitely a step in the right direction. Frankly, I think both sides have it right in their own way.
Anyway, the open source community is VERY GOOD at finding vulnerabilities. That is, for projects with many eyeballs.
That’s the caveat of course.
October 13th, 2007 at 3:35 pm
Closed Vs Open Source Security…
A recent post on the How Software is Built blog (often a good read) seems to be very confused about open Vs closed source quality control processes, especially with respect to security vulnerabilities. Unfortunately this is one of those posts that remi…
October 23rd, 2008 at 3:27 pm
[...] quality control processes, especially with respect to security vulnerabilities. Unfortunately this is one of those posts that reminds the reader that the blog is sponsored by [...]