Open-Source Security: Trust, But Verify - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Mobile & Wireless
Commentary
2/13/2008
07:22 PM
50%
50%

Open-Source Security: Trust, But Verify

Is open-source software more secure than proprietary software? There may be just one company on the planet that can answer that question, and they aren't talking. What they can tell us, however, may be just as interesting -- and perhaps even more disturbing.

Is open-source software more secure than proprietary software? There may be just one company on the planet that can answer that question, and they aren't talking. What they can tell us, however, may be just as interesting -- and perhaps even more disturbing.The company in question, Coverity, builds software source code-analysis tools that, among other tasks, test code for potential security flaws. Coverity's code-analysis tools are probably the best in the business, which explains why many of the world's most prominent software developers -- proprietary and open-source alike -- rely upon them.

According to David Maxwell, Coverity's chief open source strategist, proprietary software developers use the company's tools to scan upwards of 400 different product lines. If you're looking for a statistically valid sample, that sounds like a pretty good start. Not that it matters: Coverity, for obvious reasons, doesn't discuss its findings with anyone except its customers.

What do those customers have to say about Coverity's findings? As a rule, about as much as Coverity has to say about them. With very few exceptions, you'll have to trust them when they tell you their proprietary software is really, really secure -- and that if any bugs somehow show up in their code, they get squashed quicker than you can say "regression error."

Or, if you're Microsoft, they get squashed every Tuesday. Maybe.

All kidding aside, it's cynical -- and almost certainly wrong -- to claim that most vendors see the "black box" approach to software security as just another product-marketing tactic. Alerting every black-hat on the planet to an unpatched security flaw poses serious risks both to the vendor and especially to its customers. On the other hand, it is also true that some flaws are paper tigers that have zero chance of spawning real-world exploits. In such cases, a company may have better things to do with its software-development resources -- unless, of course, a competitor gets wind of the bug and turns it into a handy PR bludgeon.

In other words, the black-box approach has its merits, and not just for the vendors that employ it. The fact is, when a software vendor says, "trust me," quite a few customers are willing to do just that.

Yet if you prefer, as The Gipper so famously put it, to "trust but verify," the black-box approach probably gives you the creeps. Open-source projects, of course, take a very different approach to dealing with these challenges. Tomorrow, I'll explain why the Open Source approach, in my opinion, is almost always better. And I promise my reasons won't involve taking anyone's word about anything -- unless, that is, they can serve up their word with a big side dish of cold, hard facts.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Commentary
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
Slideshows
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Slideshows
Flash Poll