[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3DE55E23.A9A3D324@wretched.demon.co.uk>
From: Simon at wretched.demon.co.uk (Simon Waters)
Subject: Why don't more of us check the source code ? was Re:
Netscape Problems.
Can we not move the debate forward from "Open Source" is better
or worse in terms of security issues.
Many factors influence how many flaws software has; developer
know-how, developer commitment, development methodology, design
quality, language choice and quality assurance procedures.
Many of these factors are not dependent on whether the source is
available or not.
Spafford has even declared for agnosticism on this point.
The suggestion that "no one is looking at open source code" is
clearly not supportable, I have received bug fixes from well
known names in secure coding, fixing flaws in open source code,
ergo at least one person is looking. It seems that no one has
run even basic automated source code tools over large sections
of the available free and open source software, and reported or
patched the code.
I think a key point here is that these security fixes only exist
because the code was open source, and thus the auditor could
independently identify and report such flaws from automated
source code analysis. A closed source product could do the same
if they chose to use that tool in-house, but the potential
exists for open source, and especially free software to do
better than it has done, and possibly better than closed source
packages where only a limited number of tests are likely to be
performed.
It also shows the pointlessness of counting fixes, the more
inspections the more fixes, of course ideally they would all be
done before formal release, but in the real world some bugs get
through, the best we can hope for is better coding and
techniques that minimise the scope of bugs to irritating
failures rather than security issues.
However I'd accept that not enough people are looking for
security flaws in open source products (or at least looking and
reporting ;-). One of the advantages of open source should be
the ability to do more extensive checking before you use code,
so I suggest we all go from "./configure ; make ; make install"
to "CCFLAGS= ---more paranoid checking ---- ; ./configure ; make
; rats --blah-- ; lclint --blah2-- ; ... other checks .. ; make
install"
I can't believe it is beyond the wit of man to automate this
basic checking, and thus fairly quickly process large numbers of
GNU style packages. Perhaps even the default template Makefiles
in automake/autoconf could be altered to use such tools - the
easier you make something the more it will happen!
Also the focus has historically been on programs that use setuid
or elevated privileges or provide network services, however this
is clearly insufficient, all software that handles untrusted
input (which is most of it I'd suggest) needs to be secure.
I think arguing over who is better or worse in the status quo is
missing the fact that much of the better software is still not
achieving basic levels of security (and I'm as guilty as the
next coder, both in my proprietary and free software) necessary.
Powered by blists - more mailing lists