On Wed, 21 Mar 2007, Steven M. Christey wrote: : > With rare exceptions, in general, I do not find that the : > open source community is that much more security consciousness : > than those producing closed source. Certainly this seems true : > if measured in terms of vulnerabilities and we measure "across : > the board" (e.g., take a random sampling from SourceForge) and : > not just our favorite security-related applications. : : Indeed, CVE and any other refined vulnerability information source is : chock full of open source products on SourceForge that have the most : obvious security holes possible, and let's not forget the open source : products that have gotten a bad reputation such as PHP-Nuke and : Sendmail. Insecure programming is universal.
Belated, but i'd like to mimick Mr. Christey's comments here. For almost two decades, we've all heard or believed in the idea that open source is better than closed, because "anyone can look at it". In theory, this is outstanding. In reality, this is a joke told at security conventions. Just because people can look at a project in detail, doesn't mean they will. More to the point, just because people can, doesn't mean code auditing gurus will look at it. If you consider projects like the Linux kernel, there are definitely a *lot* of coding ninjas involved. Despite that, we see a never ending stream of vulnerabilities (most local DoS attacks) being published. Does this mean the Linux Kernel developers are irresponsible/incompetant/lazy/whatever? Absolutely not. It only means that the notion that open source will be viewed by thousands of eyes was a nice pipe dream and talking point years back, not reality. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
