Thinking About Open Source4 May 2006 · Filed in Musing
Reading about the “Vulnerability Discovery and Remediation Open Source Hardening Project”—a security audit funded by the Department of Homeland Security to regularly review popular open source software (this article has more information)—got me thinking.
The article that sparked my thinking discussed how a critical flaw had been discovered in the X Window System. This flaw was described as one of the most serious flaws uncovered to date. The flaw was corrected quickly, as is typical of most open source projects, but it wasn’t really the flaw itself or the quick response to the flaw that really got to me. Instead, it was the fact that someone was even able to search for such flaws.
The war-cry for open source proponents has always been, “Our software is more secure because more people have seen the code and reviewed it.” Until now, I wasn’t so sure about that argument; after all, how many people were like me? People who loved the projects, supported them in whatever way they could, but aren’t developers? An ordinary guy like me can’t contribute anything significant to an open source project because I don’t know C, C++, C#, Java, Objective-C, or anything else. The fact that I could review the code, until now, didn’t really do me any good. Or so I thought.
Perhaps I’m just coming late to the party. Perhaps it’s the involvement of the government, using my tax dollars, that has driven the idea home. Either way, now I see that the very right to review the source code is what makes open source projects so powerful in comparison with closed source software. As this DHS-sponsored project pores over millions of lines of code to find obscure bugs like the one described above, everyone (even Windows users) benefits. As security flaws, buffer overflows, etc., are corrected in software packages such as Apache (which runs the majority of web sites on the Internet, last I checked), FreeBSD, the Linux kernel, MySQL, the Internet and our own private networks become more secure, more protected, and less likely to be used in attacks against others. This is what the open source proponents have been so excited about, and why support for open source software is so strong.
This doesn’t mean that open source projects are automatically “more secure,” nor does it mean that we should all eschew all forms of commercial software in favor of open source equivalents. But it does mean that we do need to strongly consider open source equivalents, especially the high-profile ones, when developing solutions for customers. In my opinion, it would be a disservice otherwise.Tags: Apache · BSD · Linux · OSS · Security Previous Post: OpenDocument Gets ISO Approval Next Post: Windows Server 2003 R2 as Member Server