Comments on: Is Security Really That Hard to Measure? http://howsoftwareisbuilt.com/2007/10/12/is-security-really-that-hard-to-measure/ Mon, 10 Oct 2011 21:49:16 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: OSS Watch team blog » Blog Archive » Closed Vs Open Source Security http://howsoftwareisbuilt.com/2007/10/12/is-security-really-that-hard-to-measure/comment-page-1/#comment-2496 OSS Watch team blog » Blog Archive » Closed Vs Open Source Security Thu, 23 Oct 2008 15:27:16 +0000 http://howsoftwareisbuilt.com/2007/10/12/is-security-really-that-hard-to-measure/#comment-2496 [...] quality control processes, especially with respect to security vulnerabilities. Unfortunately this is one of those posts that reminds the reader that the blog is sponsored by [...] [...] quality control processes, especially with respect to security vulnerabilities. Unfortunately this is one of those posts that reminds the reader that the blog is sponsored by [...]

]]> By: OSS Watch team blog http://howsoftwareisbuilt.com/2007/10/12/is-security-really-that-hard-to-measure/comment-page-1/#comment-239 OSS Watch team blog Sat, 13 Oct 2007 15:35:16 +0000 http://howsoftwareisbuilt.com/2007/10/12/is-security-really-that-hard-to-measure/#comment-239 <strong>Closed Vs Open Source Security...</strong> A recent post on the How Software is Built blog (often a good read) seems to be very confused about open Vs closed source quality control processes, especially with respect to security vulnerabilities. Unfortunately this is one of those posts that remi... Closed Vs Open Source Security…

A recent post on the How Software is Built blog (often a good read) seems to be very confused about open Vs closed source quality control processes, especially with respect to security vulnerabilities. Unfortunately this is one of those posts that remi…

]]> By: Dustin Puryear http://howsoftwareisbuilt.com/2007/10/12/is-security-really-that-hard-to-measure/comment-page-1/#comment-237 Dustin Puryear Fri, 12 Oct 2007 16:10:57 +0000 http://howsoftwareisbuilt.com/2007/10/12/is-security-really-that-hard-to-measure/#comment-237 I think Swashbuckler makes a good point. Quantifying vulnerabilities is hard since you can only quantify what you know. Scott, the fact that Microsoft is pushing for fixes to CODING ISSUES rather than simply addressing known vulnerabilities is most definitely a step in the right direction. Frankly, I think both sides have it right in their own way. Anyway, the open source community is VERY GOOD at finding vulnerabilities. That is, for projects with many eyeballs. :) That's the caveat of course. I think Swashbuckler makes a good point. Quantifying vulnerabilities is hard since you can only quantify what you know. Scott, the fact that Microsoft is pushing for fixes to CODING ISSUES rather than simply addressing known vulnerabilities is most definitely a step in the right direction. Frankly, I think both sides have it right in their own way.

Anyway, the open source community is VERY GOOD at finding vulnerabilities. That is, for projects with many eyeballs. :)

That’s the caveat of course.

]]> By: Swashbuckler http://howsoftwareisbuilt.com/2007/10/12/is-security-really-that-hard-to-measure/comment-page-1/#comment-236 Swashbuckler Fri, 12 Oct 2007 14:38:21 +0000 http://howsoftwareisbuilt.com/2007/10/12/is-security-really-that-hard-to-measure/#comment-236 "In this day and age, isn’t it easy enough to quantify vulnerabilities?" Nope. It's easy enough to quantify KNOWN vulnerabilities. "the response is almost universally “many eyeballs,” and faith (without data) that “many eyeballs” is effective." Many eyeballs is useful. Running your code through an analyzer like those from Coverity or Fortify is more useful. For example, look at Coverity's analysis of Samba (http://scan.coverity.com/rung1.html). 228 defects found by Coverity have been fixed by the Samba team. Samba is certainly a project that has lots of eyeballs on it. I'm sure that some number of those fixes weren't security related, but I'm equally sure that some were. “In this day and age, isn’t it easy enough to quantify vulnerabilities?”

Nope. It’s easy enough to quantify KNOWN vulnerabilities.

“the response is almost universally “many eyeballs,” and faith (without data) that “many eyeballs” is effective.”

Many eyeballs is useful. Running your code through an analyzer like those from Coverity or Fortify is more useful. For example, look at Coverity’s analysis of Samba (http://scan.coverity.com/rung1.html). 228 defects found by Coverity have been fixed by the Samba team. Samba is certainly a project that has lots of eyeballs on it. I’m sure that some number of those fixes weren’t security related, but I’m equally sure that some were.

]]>