Open-Source Security: Trust, But VerifyOpen-Source Security: Trust, But Verify
Is open-source software more secure than proprietary software? There may be just one company on the planet that can answer that question, and they aren't talking. What they <em>can</em> tell us, however, may be just as interesting -- and perhaps even more disturbing.
February 13, 2008
Is open-source software more secure than proprietary software? There may be just one company on the planet that can answer that question, and they aren't talking. What they can tell us, however, may be just as interesting -- and perhaps even more disturbing.The company in question, Coverity, builds software source code-analysis tools that, among other tasks, test code for potential security flaws. Coverity's code-analysis tools are probably the best in the business, which explains why many of the world's most prominent software developers -- proprietary and open-source alike -- rely upon them.
According to David Maxwell, Coverity's chief open source strategist, proprietary software developers use the company's tools to scan upwards of 400 different product lines. If you're looking for a statistically valid sample, that sounds like a pretty good start. Not that it matters: Coverity, for obvious reasons, doesn't discuss its findings with anyone except its customers. What do those customers have to say about Coverity's findings? As a rule, about as much as Coverity has to say about them. With very few exceptions, you'll have to trust them when they tell you their proprietary software is really, really secure -- and that if any bugs somehow show up in their code, they get squashed quicker than you can say "regression error." Or, if you're Microsoft, they get squashed every Tuesday. Maybe. All kidding aside, it's cynical -- and almost certainly wrong -- to claim that most vendors see the "black box" approach to software security as just another product-marketing tactic. Alerting every black-hat on the planet to an unpatched security flaw poses serious risks both to the vendor and especially to its customers. On the other hand, it is also true that some flaws are paper tigers that have zero chance of spawning real-world exploits. In such cases, a company may have better things to do with its software-development resources -- unless, of course, a competitor gets wind of the bug and turns it into a handy PR bludgeon. In other words, the black-box approach has its merits, and not just for the vendors that employ it. The fact is, when a software vendor says, "trust me," quite a few customers are willing to do just that. Yet if you prefer, as The Gipper so famously put it, to "trust but verify," the black-box approach probably gives you the creeps. Open-source projects, of course, take a very different approach to dealing with these challenges. Tomorrow, I'll explain why the Open Source approach, in my opinion, is almost always better. And I promise my reasons won't involve taking anyone's word about anything -- unless, that is, they can serve up their word with a big side dish of cold, hard facts.
About the Author(s)
You May Also Like