IoT
IoT
Software // Enterprise Applications
News
5/6/2015
06:06 AM
Charles Babcock
Charles Babcock
Slideshows
Connect Directly
Twitter
RSS
E-Mail
100%
0%
RELATED EVENTS
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

8 Linux Security Improvements In 8 Years

Linux started getting really serious about security in 2007, and it has made big strides in the past three years. As open source code faces more threats, Linux can't rest on its laurels.
Previous
1 of 10
Next

(Image: Nemo via Pixabay)

(Image: Nemo via Pixabay)

At a time when faith in open source code has been rocked by an outbreak of attacks based on the Shellshock and Heartbleed vulnerabilities, it's time to revisit what we know about Linux security. Linux is so widely used in enterprise IT, and deep inside Internet apps and operations, that any surprises related to Linux security would have painful ramifications.

In 2007, Andrew Morton, a no-nonsense colleague of Linus Torvalds known as the "colonel of the kernel," called for developers to spend time removing defects and vulnerabilities. "I would like to see people spend more time fixing bugs and less time on new features. That's my personal opinion," he said in an interview at the time.

So how's that going? Since Morton issued his call, Linux has added several million lines of code and many thousands of patches and new features. The Linux kernel development process has shown marked improvement on the security front. It was as good as, or better than, most commercial code when Morton issued his 2007 challenge. As InformationWeek checked into its defect-fixing record, it was surprising how many gains have been made in the last three years.

Linux is better than most commercial code. For example, where one defect per 1,000 lines of code is considered quality, Linux in July 2014 had .55 defects per 1,000 lines. Linux also is better than most other open source projects. That didn't happen overnight, and it didn't happen without changes to the kernel process. What has happened with Linux should serve as a standard by which other projects are measured. As concern grows about the security and maintainability of open source code in the Internet's infrastructure, there may be lessons to learn from Linux's example.

Linux is an extremely large software project. It had 4,100 contributors to its last release, and over half of them were new contributors. It's one thing for a small and practiced software team to ride herd on a tight code base and police each other's bugs. It's another thing entirely to clean up a long-term project with a sprawling and revolving list of contributors. The larger the project, the higher the likely rate of defects. With that in mind, let's look at steps Linux has taken, learn about the people involved in that effort, and explore how Linux stacks up in 2015.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

Previous
1 of 10
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/8/2015 | 11:16:06 AM
Re: Open Source is Superior
Asksqn,

This is not meant to be a defense for Propreitary code but don't you feel we have had more than our fair-share of Vulnerabilities in Open Source environments in last year or so[Shellshock,Bash vulnerabilities,etc].

The Big problem that Open Source has is lack of enthusiasts with Financial Staying power.

Even great programs like TOR & Veracrypt have seen cutbacks(or abandonment of Support).

Why is that the case?

Not really surprising.

Everyone wants to use Open Source (and rave about it) but not many folks want to contribute(financially) to it.

I am reminded of the case of that German Developer who was so close to quiting entire Development of something as important as Encryption for Email because he had no Funds to spare(Werner Koch behind GNU Privacy Guard)-www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke

How does one deal with that situation?

This Gentlemen got lucky thanks to that propublica article and he managed to raise the funds he needs to keep the Project going atleast for next 5 years.

What about many other projects which are again manned by just one or two folks?

No easy answers unfortunately.

Atleast the cash-rich companies have funds to throw developers and other resources at their Security Bugs.


Regards

Ashish.

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/8/2015 | 10:54:50 AM
Re: Path to security starts in development
Charlie,

I am not surprised a bit that these are the primary issues discovered in Linux Security Audits.

Why is that?

If one looks at basic software in General and especially Coding Best Practices Lists(from OWASP,SANS,etc) these are all among the Top 10 Vulnerabilities discovered every year.

Guessing that more and more automation in Coding Best Practices will reduce these errors?

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/6/2015 | 11:48:08 AM
Re: More Simple, More Secure
Christian,

Great-Great point!

Kernel bloat has been the topic of many a paper and article and the simple truth is that simplicity lends to security in terms of manageable code.

That is as good a statement as I could have said (and is as simple a fashion as one could put it).


The more complex code becomes the more chances of error creeping in.

This is also why Apple is moving away from Objective C and towards Swift today.

Open source has enormous fans and traction ,just need to keep supporting it going ahead.

Regards

Ashish.

 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
5/8/2015 | 8:41:53 PM
Julia Lawall and other names you don't hear everyday
The Coccinelle scanning tool "is currently maintained mostly by myself and Sebastien Hinderer," writes Julia Lawall, its principal author, "with some contributions from Nicolas Palix, Iago Abal, Chi Pham. Several other people have worked on it at various times over the years."
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Strategist
5/7/2015 | 4:24:57 AM
More Simple, More Secure
This is a great reminder of not only the importance of integrating solid development practices no matter how mature your project is, but also that open source code (or "free" as in freedom) has benefits far beyond simply being free.  With deep insight into kernel internals, for instance, the entire kernel hacking community have access to code, scanning results, and developer knowledge lending to important security and functional bug fixes.

However, it is also a lesson in bloat.  More and more I'm building my kernel with a stripped down footprint, not only choosing Linux-libre over the mainline code that contains non-free "blobs" which could contain security issues that can't easily be fixed because they are closed source objects, but also longing for a more micro-kernel-like build.  Kernel bloat has been the topic of many a paper and article and the simple truth is that simplicity lends to security in terms of manageable code.

That said, I have watched the development of Linux since the early days (I'm practically a gray-beard) and it is one of the most impressive projects out there, with lots of strong personalities but with a drive to make sure users continue to have a free kernel that give people what they need.

Great article for reminding everyone why we love Linux.

 
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Author
5/6/2015 | 5:24:51 PM
Path to security starts in development
Buffer overflows, integer overflows and format string errors are among the top problems buried in Linux code. "The road to application quality and security starts in development," wrote Zack Samocha, sr. drector of products at Coverity in the  Coverity Security Spotlight Report on Open Source in 2013.
asksqn
100%
0%
asksqn,
User Rank: Ninja
5/6/2015 | 1:27:14 PM
Open Source is Superior
>>Coverity isn't allowed to release the results of its tests of commercial code[...] <<

 

Thereby demonstrating why Open Source will always be superior.  Meanwhile, Oracle/SAP et al. would rather keep its flaws a big "trade" secret rather than fix security bugs.  It's standard operating procedure for commercial vendors to shoot the messenger rather than deal with bugs.  And the consumer gets charged for this "service."  Open Source clearly provides more bang for the buck, and, you can't get any better than FREE.
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.