On Wed, 21 Mar 2007, Steven M. Christey wrote:
: With rare exceptions, in general, I do not find that the
: open source community is that much more security consciousness
: than those producing closed source. Certainly this seems true
: if measured in terms of vulnerabilities and we measure across
: the board (e.g., take a random sampling from SourceForge) and
: not just our favorite security-related applications.
A random sampling from SourceForge will typically find the worst ones.
Most OSS projects, like most proprietary projects, die due to lack of
attention from _anyone_.
: Indeed, CVE and any other refined vulnerability information source is
: chock full of open source products on SourceForge that have the most
: obvious security holes possible, and let's not forget the open source
: products that have gotten a bad reputation such as PHP-Nuke and
: Sendmail.
A well-deserved bad reputation, I might add, though I've been told that
the latest versions of Sendmail are better.
: Insecure programming is universal.
Absolutely.
security curmudgeon [EMAIL PROTECTED] piped in:
Belated, but i'd like to mimick Mr. Christey's comments here. For almost
two decades, we've all heard or believed in the idea that open source is
better than closed, because anyone can look at it. In theory, this is
outstanding. In reality, this is a joke told at security conventions.
Just because people can look at a project in detail, doesn't mean they
will. More to the point, just because people can, doesn't mean code
auditing gurus will look at it.
... the notion that open source will be viewed by thousands of eyes was a
nice pipe dream and talking point years back, not reality.
Nonsense. Widespread review of _some_ OSS programs, by many eyes, _IS_
reality. Just look at the evidence. There are a number of OSS projects
where it's quite clear just by looking at the SCM records that many
people _do_ review the code, both manually and by automated means. The
OpenBSD developers have been doing manual review for a long, long time,
and their record of only 2 remote holes in 10 years is quite impressive.
Debian has a similar audit project as well. (Both OpenBSD and Debian
focus their efforts though... only SPECIFIC programs get reviewed, not
stuff like chess games.) There's a $500 bounty for finding
vulnerabilities in Mozilla, and it's clear that many people are
reviewing Mozilla Firefox's code specifically for security issues.
There are now several projects that download OSS programs, review them
through automated tools, and send back their results to the developers
(DHS and Fortify back two such projects). The claim that no OSS
program gets lots of review is absolutely untrue.
On the other hand, it's nonsense that just because something is OSS
means that (1) it's automatically secure or (2) it'll always be
reviewed. If _that_ is what you mean, then I completely agree with you.
Sendmail has had a terrible record - but Exchange is no saint either.
I'd rather put my money on Postfix, which was specifically DESIGNED to
be secure, as well as having review, than either of them.
I believe that you need to evaluate the security of OSS programs - or
proprietary programs - on a case by case basis. On that, I hope, we
agree. Any OSS program can in theory be reviewed, but only some get
real review. There are a number of specific OSS programs that do
markedly better than their proprietary competition in terms of security
- unsurprisingly, those tend to be the ones that HAVE received lots of
review. Conversely, there are many OSS programs (and proprietary
programs) that are absolute junk. So look before you leap.
--- David A. Wheeler
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___