Open Source and Hype

[article]

can make about software security is this: It is all too easy for programmers to leave holes, independent of how the code is being written (for a list of the top five security-related software defects, see SP 2003). The perversity of "crackers" is that wherever they seek security holes, they are likely to find them. Furthermore, they tend to hunt wherever the loudest claims are that the software is secure! For example, in the book Know Your Enemy (Honeypot Project 2002), there is a study of cracker techniques using "honeypot" systems to trap the crackers. One "black hat" was specifically going after Linux-based .EDU systems because of their claims of invulnerability, a chilling thought for both open source advocates and academics who use their wares.

With respect to the open source claims, there is plenty of anecdotal evidence (e.g., SP 2003b) to back the security claims of the open source advocates, as well as their proprietary counterparts. However, there is really no definitive evidence to cause either side to be seen as victorious.

So where do I stand on open source? I see nothing in particular, wrong with its fundamental ideas and ideals. But I see plenty wrong with the hype surrounding it. Not that it's any worse than its proprietary brethren in this respect. It's just that I expected more from this particular group! Yes, I do expect more from the open source advocates.

Author's Note
This column is derived, in open source fashion, from the upcoming book Making Sense of the Bazaar: Perspectives on Open Source and Free Software , O'Reilly and Associates, 2003 (available in early fall).

References

  • The Fuzz Papers. A series of studies of utility/operating system software reliability, beginning with one published in 1990, another performed in 1995 and published in early 2000, and the most recent in the USENIX Windows Systems Symposium, Aug. 2000. Contact the author, Prof. Barton P. Miller of the University of Wisconsin Computer Science department, for further details.
  • Glass 1999. "The Realities of Software Technology Payoffs," Communications of the ACM, Feb. 1999; Robert L. Glass.
  • Glass 2002. Facts and Fallacies of Software Engineering , Addison-Wesley, 2002, Robert L. Glass.
  • Honeypot Project 2002. Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community, Addison-Wesley, 2002, by The Honeypot Project members.
  • Sanders 1998. "Linux, Open Source, and Software's Future," IEEE Software, Sept. 1998, J. Sanders.
  • SP 2002. "Holes Found in Open Source Code," the Software Practitioner, Sept. 2002.
  • SP 2003. "Security-Related Software Defects: a Top-Five List," The Software Practitioner, Jan. 2003.
  • SP 2003b. "Software Security: Which is Better, Open Source or Proprietary?" The Software Practitioner, Jan. 2003.
  • Zhao 2000. "A Survey of Quality Related Activities in Open Source," Software Engineering Notes, May 2000, Luyin Zhao and Sebastian Elbaum.

About the author

Robert Glass's picture Robert Glass

Robert Glass authors a regular column in IEEE Software Magazine. He often questions the merits of open source software and other software development approaches. In the 1970s he began looking objectively at each new software fad and fancy, from the structured approaches to object orientation to agile methods, to see if there was research support for the impressive claims of these methods. He describes himself as a "contrarian by nature" and is the proud owner of a certificate that states he is the "premier curmudgeon of software practice." Standing up in front of advancing software steamrollers is his specialty, and is an activity he has pursued throughout his long and accomplished professional life.

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, TechWell.com is the place to go for what is happening in software development and delivery.  Join the conversation now!

Upcoming Events

Nov 09
Nov 09
Apr 13
May 03