Tuesday, September 21, 2004

Open Source Security: Still a Myth

Open Source Security: Still a Myth:
“by John Viega

Does the open source process guarantee better security than proprietary development methods do? Not necessarily, warns John Viega. There are several security challenges facing open source software that many developers have so far failed to recognize.”

“In the real world, it's rare that someone reviewing code for security will perform a thorough audit. Line-by-line review is often not feasible, simply because the human mind can't retain a detailed understanding of a large code base. Generally, people have tools to support them. Those tools are a starting point for manual inspection, which focuses on the findings of the tool and looks to see whether there's actually anything to the problem.

"Real" analysis tools are just starting to hit the market. The tools people use tend to be simple ones that don't do sophisticated analysis--grep-like tools such as RATS and flawfinder. A few commercial companies offer "web scanners" that look for common vulnerabilities in an application using a fuzz-like approach (you pick the inputs you think might exercise a common problem, give it a go, and see what happens). The problem with black-box testing for security is that most programs are complex and have states that an automated crawler isn't likely to find. Security problems are often buried in complex systems. Finding them with such an approach would require heavy user interaction to put the system into a large number of different states.

With both the grep-like tools and the black-box testing tools, you will almost always have a large number of false positives to sift through. Most potential auditors throw up their hands in frustration pretty quickly. Those who don't will usually focus on only a few of the reported issues. Even research tools such as BOON tend to have incredibly high false-positive rates.”

The Myth of Open Source Security , http://www.developer.com/tech/article.php/626641

Why Open Source Software/Free Software? Look at the Numbers! , http://www.dwheeler.com/oss_fs_why.html

http://www.onlamp.com/pub/a/security/2004/09/16/open_source_security_myths.html

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)