can make about software security is this: It is all too easy for programmers to leave holes, independent of how the code is being written (for a list of the top five security-related software defects, see SP 2003). The perversity of "crackers" is that wherever they seek security holes, they are likely to find them. Furthermore, they tend to hunt wherever the loudest claims are that the software is secure! For example, in the book Know Your Enemy (Honeypot Project 2002), there is a study of cracker techniques using "honeypot" systems to trap the crackers. One "black hat" was specifically going after Linux-based .EDU systems because of their claims of invulnerability, a chilling thought for both open source advocates and academics who use their wares.
With respect to the open source claims, there is plenty of anecdotal evidence (e.g., SP 2003b) to back the security claims of the open source advocates, as well as their proprietary counterparts. However, there is really no definitive evidence to cause either side to be seen as victorious.
So where do I stand on open source? I see nothing in particular, wrong with its fundamental ideas and ideals. But I see plenty wrong with the hype surrounding it. Not that it's any worse than its proprietary brethren in this respect. It's just that I expected more from this particular group! Yes, I do expect more from the open source advocates.
This column is derived, in open source fashion, from the upcoming book Making Sense of the Bazaar: Perspectives on Open Source and Free Software , O'Reilly and Associates, 2003 (available in early fall).
- The Fuzz Papers. A series of studies of utility/operating system software reliability, beginning with one published in 1990, another performed in 1995 and published in early 2000, and the most recent in the USENIX Windows Systems Symposium, Aug. 2000. Contact the author, Prof. Barton P. Miller of the University of Wisconsin Computer Science department, for further details.
- Glass 1999. "The Realities of Software Technology Payoffs," Communications of the ACM, Feb. 1999; Robert L. Glass.
- Glass 2002. Facts and Fallacies of Software Engineering , Addison-Wesley, 2002, Robert L. Glass.
- Honeypot Project 2002. Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community, Addison-Wesley, 2002, by The Honeypot Project members.
- Sanders 1998. "Linux, Open Source, and Software's Future," IEEE Software, Sept. 1998, J. Sanders.
- SP 2002. "Holes Found in Open Source Code," the Software Practitioner, Sept. 2002.
- SP 2003. "Security-Related Software Defects: a Top-Five List," The Software Practitioner, Jan. 2003.
- SP 2003b. "Software Security: Which is Better, Open Source or Proprietary?" The Software Practitioner, Jan. 2003.
- Zhao 2000. "A Survey of Quality Related Activities in Open Source," Software Engineering Notes, May 2000, Luyin Zhao and Sebastian Elbaum.