Report casts doubt on open source doctrine
1 comment- TAGS:Fortify, open source security process, open source software, security
- IT TOPICS:Development, Enterprise Software & Services, Open Source, Security, Software
Open source proponents go beyond asserting they produce better software. They have a "law" that declares it so.
They claim the Law of Many Eyes (or Linus's Law) leads to higher quality, more secure code. That is, because anyone can view the source code, find problems and report back to the community, better software will result. More eyes = better code.
Some have questioned the logic of this Law, at least as it relates to security. Now those skeptics have some documentation to back up their doubts.
Today, Fortify Software Inc. of San Mateo, Calif. is releasing an analysis it conducted of 11 popular open source software products, such as JBoss, Hibernate, Struts and Tomcat, and the news is not good. According to Jacob West, manager of the security research group for the software security testing company, Fortify found significant vulnerabilities in all the products.
What's more, says West, in looking at different releases of individual software Fortify found that old security problems often did not get fixed and, worse, new vulnerabilities were introduced.
And what should be utterly embarrassing to open source advocates, the report reveals basic security flaws, such as cross-site scripting errors, things that would easily be detected by automated testing tools, are scattered throughout the code.
In sum, the Law of Many Eyes is bogus.
West is not arguing that commercial software is any more secure than open source products, per se. However, he does say the open source process is not delivering secure code and without augmenting the Law of Many Eyes it is unlikely to do so. But, as a user of open source tools, he's concerned that commercial software developers "are pulling away from the open source community in developing good development processes."
That means commercial vendors actually use security experts to analyze source code for flaws and are expanding the use of static code and run-time analysis tools to check and re-check code. But those abiding by the Law of Many Eyes are blind to these processes so far.
West hopes the report will spur improvements within the open source community to employ more sophisticated code-checking processes to assure more secure code. However, given the ideological rigidity of many open source software advocates, adhering to a false Law most likely will trump a new truth.
Print
Email this
Digg this
Slashdot this
