Kevin, I would love to see open source communities embrace secure coding practices with stronger assistance from software vendors in this space. This of course requires going beyond "audit" capability and figuring out ways to get the tools into developers hands.
As a contributor to open source projects, I struggle with introducing security as I already contribute my time with the support/blessing of my significant other but she wouldn't let me spend hard cash on tools for contributing to open source. I wish there was a better answer for us all in this seat. Generally speaking, many of my peers outside of work contribute to open source with the rationale that it a safer place from a political perspective to try things out, kinda like a POC where the outcome doesn't have to be successful and it won't show up on your annual review. Lately, I haven't figured out how to reduce my own exposure... -----Original Message----- From: Wall, Kevin [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 20, 2007 9:16 PM To: McGovern, James F (HTSC, IT) Cc: sc-l@securecoding.org Subject: RE: [SC-L] Economics of Software Vulnerabilities James McGovern apparently wrote... > The uprising from customers may already be starting. It is > called open source. The real question is what is the duty of > others on this forum to make sure that newly created software > doesn't suffer from the same problems as the commercial > closed source stuff... While I agree that the FOSS movement is an uprising, it: 1) it's being pushed by "customers" so much as IT developers 2) the "uprising" isn't so much as being an outcry against security as it is against not being able to have the desired features implemented in a manner desired. At least that's how I see it. With rare exceptions, in general, I do not find that the open source community is that much more security consciousness than those producing closed source. Certainly this seems true if measured in terms of vulnerabilities and we measure "across the board" (e.g., take a random sampling from SourceForge) and not just our favorite security-related applications. Where I _do_ see a remarkable difference is that the open source community seems to be in general much faster in getting security patches out once they are informed of a vulnerability. I suspect that this has to do as much with the lack of bureaucracy in open source projects as it does the fear of loss of reputation to their open source colleagues. However, this is just my gut feeling, so your gut feeling my differ. (But my 'gut' is probably bigger than yours, so feeling prevails. ;-) Does anyone have any hard evidence to back up this intuition. I thought that Ross Anderson had done some research along those lines. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. [EMAIL PROTECTED] Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
