Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Falling Apart at the Seams
Kathleen Ellis and Jon Lasser, SecurityFocus 2000-09-04

Last month's Brown Orifice program opened a backdoor to an insecure future. Can open source save the day?

Comments Mode:
User: friend or enemy? 2000-09-05
Pavel Roskin (1 replies)
User: friend or enemy? 2000-09-08
foo
Open Source Solution 2000-09-05
Pete Kofod (2 replies)
Re: Open Source Solution 2000-09-08
angel'o'sphere (1 replies)
Re: Open Source Solution 2000-09-08
Richard
Open Source Solution 2000-09-08
Mike Crist
Is the combination or the individual code itself to blame? 2000-09-06
Open source is not a silver bullet 2000-09-06
Your friendly neighborhood software developer
Brown Orifice bug not in Open Source! 2000-09-08
/dev/joe
"All bugs are shallow" is a delusion of Open Source Arguments 2000-09-08
peter (at) smalltalk (dot) org [email concealed]
"The key to solving this problem is the open source movement, and its propensity for keeping code development simple and ego-free."

"Raymond's formulation of Linus's Law in his classic open source polemic The Cathedral and the Bazaar, that "Given enough eyeballs, all bugs are shallow," hints at the solution. Raymond also suggests that open source software need not fall prey to Brooks' Law, the belief that (in Raymond's words) "the complexity and communication costs of a project rise with the square of the number of developers, while work done only rises linearly." Raymond invokes Gerald Weinberg when adding, 'in shops where developers are not territorial about their code, and encourage other people to look for bugs and potential improvements in it, improvement happens dramatically faster than elsewhere.'"

I agree with Gerald Weindberg but not Linus because of the assumption that Open Source automatically endows an open source project with a large number of competent eye balls. It's not enough to have eye balls as it's important to have competent eye balls with brains behind them that actually take collaborative and positive action upon seeing a problem or solution to a problem.

I disagree that the solution is open source. Open Source is a software development methodology NOT a technology design. The solution will exist in the technology design and implmentation arena NOT in a software development methodology.

The security technologies required to solve these and other security vulnrabilities IS NOT THE EXCLUSIVE DOMAIN of open source development projects. ANY software developer community, open or closed, could deliver an implementation of a properly designed solution that would plug the holes. The only advantage that open source MIGHT have is the number of people looking at the source code, BUT this must be mitigated against the number of these people who are actually competent software developers with a background in software security issues.

The key issue is whether the people doing the software development are competent at seeing and solving the problems or security vulnerabilities. Experience and knowledge with security vulnerabilities and other security issues is key for the people involved.

Open or closed source software development methodologies and software security vulnerabilities are seperate issues.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/80/3320#3320
Open source WORKS! 2000-09-08
Another friendly software developer
Mozilla and JavaScript 2000-09-08
Markus Fleck
How many ways can one article be wrong? 2000-09-08
Charles Miller







 

Privacy Statement
Copyright 2009, SecurityFocus