Comment Re:Open source as a deterrent (Score 1) 225
...security through ANY development methodology, is not a given. I think what we are talking about here is which method(s) have the highest potential to produce secure software and systems. Having worked in the industry for a few years, I have to say that I think the open-source model has the higher potential but, not how you might suspect.
The "many eye-balls" counterpoint is somewhat flawed because they need to be highly skilled and focused - happens on some projects (like OpenBSD), some not, for whatever reason; time, interest, ability...etc. The point here is the opportunity for review which clearly does not exist in the closed-source model. However, the most compelling counterpoint to me has to do with the nature and culture of the open-source model itself.
In the open-source model, programmers have to be willing to be publicly scrutinized on the work that they produce. Reputations (as well as egos) typically are checked at the door of a project and everyone involved learns at a much higher rate collectively through the peer review process. Guys and gals that do security right set the example and teach others - again much more quickly than in the closed source environment. The implications for secure code are fairly obvious.
The reputation game is probably the most bothersome aspect to the closed-source companies, security companies in particular. Unfortunately, we have created an environment where the expectation for these companies is so high that any breach is looked upon as a major PR problem and not an opportunity to improve the security of their product(s). I have witnessed major security vulnerabilities swept under the carpet for months by these companies because of the reputation games that they play. Conversely, the open-source community tends to skip the foot dragging and excuses part and proceeds to FIX THE PROBLEM.
Security is not easy, the better development model is the one that acknowledges that fact and provides proactive, informed and expedient response. As someone earlier pointed out, we all are human...in the context of security, we need a development model that identifies vulnerabilities as quickly as possible and then, fixes them that much faster. The closed-source model just isn't built that way and the current "reputation game" is clearly hurting the industry's ability to be responsive in this dynamic environment.
Finally, the business models of the closed source companies (and their reliance on proprietary code license fees), will stop them from addressing many of these issues near term - and that's why the open-source model is the superior model for security...
The "many eye-balls" counterpoint is somewhat flawed because they need to be highly skilled and focused - happens on some projects (like OpenBSD), some not, for whatever reason; time, interest, ability...etc. The point here is the opportunity for review which clearly does not exist in the closed-source model. However, the most compelling counterpoint to me has to do with the nature and culture of the open-source model itself.
In the open-source model, programmers have to be willing to be publicly scrutinized on the work that they produce. Reputations (as well as egos) typically are checked at the door of a project and everyone involved learns at a much higher rate collectively through the peer review process. Guys and gals that do security right set the example and teach others - again much more quickly than in the closed source environment. The implications for secure code are fairly obvious.
The reputation game is probably the most bothersome aspect to the closed-source companies, security companies in particular. Unfortunately, we have created an environment where the expectation for these companies is so high that any breach is looked upon as a major PR problem and not an opportunity to improve the security of their product(s). I have witnessed major security vulnerabilities swept under the carpet for months by these companies because of the reputation games that they play. Conversely, the open-source community tends to skip the foot dragging and excuses part and proceeds to FIX THE PROBLEM.
Security is not easy, the better development model is the one that acknowledges that fact and provides proactive, informed and expedient response. As someone earlier pointed out, we all are human...in the context of security, we need a development model that identifies vulnerabilities as quickly as possible and then, fixes them that much faster. The closed-source model just isn't built that way and the current "reputation game" is clearly hurting the industry's ability to be responsive in this dynamic environment.
Finally, the business models of the closed source companies (and their reliance on proprietary code license fees), will stop them from addressing many of these issues near term - and that's why the open-source model is the superior model for security...
