On Wed, Jun 03, 2009 at 08:32:38PM +0200, Wojciech Puchar wrote: > > Everyone can find them and fix, but at the same time everyone can find > them and use them. > > With closed source both are more difficult.
That's not strictly true. In general, it's easier to discover vulnerabilities through reverse engineering techniques, fuzzing, et cetera, than by sifting through source code. The exceptions are cases where someone made a *really* bone-headed coding error. As a result, except when a programmer who adds code to the project is just completely incompetent (or has such an incompetent moment -- we all make mistakes), and it somehow passes review by other people on the development team (unlikely unless people aren't reviewing each others' code), it really isn't any easier to discover security vulnerabilities in open source software than in closed source software. The purely technical difference provided by open source software when it comes to vulnerability discovery and patching is that, once a vulnerability has been found, its origins in the source code can be tracked down and patched by *anyone*. In short, in technical terms, open source software makes it easier to *fix* vulnerabilities because it opens the pool of potential patch developers beyond the core team, but it doesn't really make it any easier to *discover* vulnerabilities in the general case. Then, of course, there are the social effects -- which encourage people who have a healthy interest in the software to contribute to its security and stability through a number of related social mechanisms. Overall, it's a tremendous win for open source software development. That doesn't mean that any given open source application will necessarily, inherently be more secure than any given closed source equivalent. It does, however, mean that if you're a betting man, your chances of winning a bet lie with the open source application, all else being equal. > > >In MICROS~1 land, you give yourself entirely into the hand of a > >corporation that is not interested in selling secure products, > > So this is not open/closed source problem, but micro-soft approach. > They just don't care about security. As they don't care about performance > and about bugs. But that's just micro-soft. Part of the problem of closed source software is that it provides a kind of "safe haven" for such unscrupulous software developers and vendors, where many such failings of secure development may go unnoticed due to the inability to determine exactly what's going on under the hood once you've noticed there's something wrong with the application. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] Common Reformulation of Greenspun's Tenth Rule: Any sufficiently complicated non-Lisp program contains an ad hoc informally-specified bug-ridden slow implementation of half of Common Lisp.
Description: PGP signature