8 Linux Security Improvements In 8 Years - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
News
5/6/2015
06:06 AM
Charles Babcock
Charles Babcock
Slideshows
Connect Directly
Twitter
RSS
E-Mail
100%
0%

8 Linux Security Improvements In 8 Years

Linux started getting really serious about security in 2007, and it has made big strides in the past three years. As open source code faces more threats, Linux can't rest on its laurels.
Previous
1 of 10
Next

(Image: Nemo via Pixabay)

(Image: Nemo via Pixabay)

At a time when faith in open source code has been rocked by an outbreak of attacks based on the Shellshock and Heartbleed vulnerabilities, it's time to revisit what we know about Linux security. Linux is so widely used in enterprise IT, and deep inside Internet apps and operations, that any surprises related to Linux security would have painful ramifications.

In 2007, Andrew Morton, a no-nonsense colleague of Linus Torvalds known as the "colonel of the kernel," called for developers to spend time removing defects and vulnerabilities. "I would like to see people spend more time fixing bugs and less time on new features. That's my personal opinion," he said in an interview at the time.

So how's that going? Since Morton issued his call, Linux has added several million lines of code and many thousands of patches and new features. The Linux kernel development process has shown marked improvement on the security front. It was as good as, or better than, most commercial code when Morton issued his 2007 challenge. As InformationWeek checked into its defect-fixing record, it was surprising how many gains have been made in the last three years.

Linux is better than most commercial code. For example, where one defect per 1,000 lines of code is considered quality, Linux in July 2014 had .55 defects per 1,000 lines. Linux also is better than most other open source projects. That didn't happen overnight, and it didn't happen without changes to the kernel process. What has happened with Linux should serve as a standard by which other projects are measured. As concern grows about the security and maintainability of open source code in the Internet's infrastructure, there may be lessons to learn from Linux's example.

Linux is an extremely large software project. It had 4,100 contributors to its last release, and over half of them were new contributors. It's one thing for a small and practiced software team to ride herd on a tight code base and police each other's bugs. It's another thing entirely to clean up a long-term project with a sprawling and revolving list of contributors. The larger the project, the higher the likely rate of defects. With that in mind, let's look at steps Linux has taken, learn about the people involved in that effort, and explore how Linux stacks up in 2015.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 10
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
5/8/2015 | 8:41:53 PM
Julia Lawall and other names you don't hear everyday
The Coccinelle scanning tool "is currently maintained mostly by myself and Sebastien Hinderer," writes Julia Lawall, its principal author, "with some contributions from Nicolas Palix, Iago Abal, Chi Pham. Several other people have worked on it at various times over the years."
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Author
5/6/2015 | 5:24:51 PM
Path to security starts in development
Buffer overflows, integer overflows and format string errors are among the top problems buried in Linux code. "The road to application quality and security starts in development," wrote Zack Samocha, sr. drector of products at Coverity in the  Coverity Security Spotlight Report on Open Source in 2013.
Slideshows
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
News
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Commentary
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll