I think one lesson here is that it's critical to make sure that ALL developers know how to develop secure software. Very, very few people are willing to just do code reviews all day, and Sardonix suggests that it's hard to set up such programs.

There is one counter-example: OpenBSD. It'd be interesting to learn why the Sardonix project failed, while OpenBSD has been doing code reviews and continues to do so.

So, if you want secure software, make sure the original developers (and their follow-ons) know how to develop secure software. Open source software does get "many eyeballs", but primarily from various developers, not "security code review experts". Proprietary software gets very little code review (generally only the original developer). There are books that tell developers how to write secure code, such as at http://www.dwheeler.com/secure-programs - but they don't help if developers don't read them.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/7947/24718#24718