> On Wed, 21 Mar 2007, Steven M. Christey wrote: > : > With rare exceptions, in general, I do not find that the > : > open source community is that much more security consciousness > : > than those producing closed source. Certainly this seems true > : > if measured in terms of vulnerabilities and we measure "across > : > the board" (e.g., take a random sampling from SourceForge) and > : > not just our favorite security-related applications.
A random sampling from SourceForge will typically find the worst ones. Most OSS projects, like most proprietary projects, die due to lack of attention from _anyone_. > : Indeed, CVE and any other refined vulnerability information source is > : chock full of open source products on SourceForge that have the most > : obvious security holes possible, and let's not forget the open source > : products that have gotten a bad reputation such as PHP-Nuke and > : Sendmail. A well-deserved bad reputation, I might add, though I've been told that the latest versions of Sendmail are better. > : Insecure programming is universal. Absolutely. security curmudgeon <[EMAIL PROTECTED]> piped in: > Belated, but i'd like to mimick Mr. Christey's comments here. For almost > two decades, we've all heard or believed in the idea that open source is > better than closed, because "anyone can look at it". In theory, this is > outstanding. In reality, this is a joke told at security conventions. > > Just because people can look at a project in detail, doesn't mean they > will. More to the point, just because people can, doesn't mean code > auditing gurus will look at it. > > ... the notion that open source will be viewed by thousands of eyes was a > nice pipe dream and talking point years back, not reality. Nonsense. Widespread review of _some_ OSS programs, by many eyes, _IS_ reality. Just look at the evidence. There are a number of OSS projects where it's quite clear just by looking at the SCM records that many people _do_ review the code, both manually and by automated means. The OpenBSD developers have been doing manual review for a long, long time, and their record of only 2 remote holes in 10 years is quite impressive. Debian has a similar audit project as well. (Both OpenBSD and Debian focus their efforts though... only SPECIFIC programs get reviewed, not stuff like chess games.) There's a $500 bounty for finding vulnerabilities in Mozilla, and it's clear that many people are reviewing Mozilla Firefox's code specifically for security issues. There are now several projects that download OSS programs, review them through automated tools, and send back their results to the developers (DHS and Fortify back two such projects). The claim that "no OSS program gets lots of review" is absolutely untrue. On the other hand, it's nonsense that just because something is OSS means that (1) it's automatically secure or (2) it'll always be reviewed. If _that_ is what you mean, then I completely agree with you. Sendmail has had a terrible record - but Exchange is no saint either. I'd rather put my money on Postfix, which was specifically DESIGNED to be secure, as well as having review, than either of them. I believe that you need to evaluate the security of OSS programs - or proprietary programs - on a case by case basis. On that, I hope, we agree. Any OSS program can in theory be reviewed, but only some get real review. There are a number of specific OSS programs that do markedly better than their proprietary competition in terms of security - unsurprisingly, those tend to be the ones that HAVE received lots of review. Conversely, there are many OSS programs (and proprietary programs) that are absolute junk. So look before you leap. --- David A. Wheeler _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
