CyberTech Rambler

January 9, 2008

Endorsement of Open Source Security (updated)

Filed under: Uncategorized — ctrambler @ 6:53 pm

A while ago, Homeland Security spent some money to get a source code analysis company to perform an audit of popular open source code. The results and follow ups is reported in this Information Week article (11 Jan – vital updates here) Some commentators in the comment section says that this is simply FUD ammo for closed source company to fire at open source community. I disagree. Sure, it is possible to use this as a FUD bullet, but the article is not FUD, but a careful reading of the article shows that it is a ringing endorsement of Open Source.

At the very least, it shows that with exception of Firebird, (Corrected on 11 Jan, after reading the correction here) all open source project investigated takes very active steps in investigating and correcting the flaw identified by the company. The speed of correction is also very impressive.

Every software has vulnerability. Moreover, the very presence of bugs identified by the “Process”/analysis approach used by the contractor proves that the “Process” approach has merits. Anyone who want to spread FUD will concentrate on the absolute bug count. However, the more impartial (but still faulty) approach is the error rate, or bugs per line. If we take the first sentence of the article as the absolute truth, it appears that the current open source process is as good as whatever processes close source company deploy. This cast further doubt into the FUD article championing the “Process” approach by Microsoft

Moreover, the results from various open source project shows that the theory that “More eyeballs make bugs shallow” holds some water, as Linux has lower error rate than other, less popular project.

Note that as we do not have the results for close source software to compare with, we cannot, based on these results, says that they are better/worse in handling security and other vulnerability issue. Unless they are willing to subject their source code through the same test methodology by an independent company, any close source company trying to capitalize on this must be viewed with suspicion and can be accused of spreading FUD.


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at

%d bloggers like this: