Open Source Culture Needs To Be Security Culture, Too - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Enterprise Architecture
Commentary
8/29/2008
12:28 PM
Serdar Yegulalp
Serdar Yegulalp
Commentary
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Open Source Culture Needs To Be Security Culture, Too

How to react to the news that an earlier flaw in Debian's random-number generator has been used to fuel an honest-to-Linus exploit, especially after yesterday's post? Welcome to the tip of the iceberg.

How to react to the news that an earlier flaw in Debian's random-number generator has been used to fuel an honest-to-Linus exploit, especially after yesterday's post? Welcome to the tip of the iceberg.

It's been said, somewhat cynically, that one possible good reason we don't see more Linux exploits scurrying around in the wild is because Linux doesn't represent the same kind of attack surface for criminal hackers as Windows does. True, Linux still doesn't have the desktop market share of even the Macintosh -- but it's become that much more interesting as a target because of the number of server and infrastructure systems that use it.

That doesn't so much replace the malign opportunities provided by Windows malware as it augments them. Now instead of just turning Windows desktops into zombies, you can attack Linux servers and maybe have the two of them work hand-in-hand to wreak havoc. What we have now is bad enough, but the idea of adding compromised Linux servers to the mix makes me blanch.

For these reasons it's becoming all the more crucial that open source in general, and Linux in particular, think as proactively as possible about what can go wrong and in what contexts. This means a culture of security consciousness that is at least as pervasive as the culture of open source itself -- a conscientiousness about security by everyone involved, on the order of the existing conscientiousness about licensing.

Maybe asking for such a thing is unrealistic. I don't think it's unrealistic to ask for it -- it's unrealistic to expect everyone to become security-conscious overnight, but in my opinion absolutely not unrealistic to keep a steady and resolute pressure on the community. People need to become conscious of the fact that the code they write can be reused in places they might never have anticipated -- and that the people doing the recycling might not be savvy about security. (And shame on them if they aren't.)

We need to start doing this now. Not after some major disaster, not as PR spin or a post facto damage-control measure. If the folks in the open source world can be as morally conscientious about security as they are the freedoms associated with their code, I'd say they'd be prepared for just about anything.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Commentary
Is the Computer Science Degree Dead?
Guest Commentary, Guest Commentary,  11/6/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll