From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Sun Feb 03 2002 - 16:30:08 MST
hal@finney.org wrote,
> In my experience the degree of review provided by
> the open source community is haphazard, random and
> spotty. Just publishing software as open source is
> no guarantee that anyone will review its security
> flaws closely.
I agree. But having closed source guarantees that interested parties cannot
review its security flaws closely. It also prevents the customer from
verifying security, and they end up having to assume or trust the vendor
with no evidence of security.
> In my opinion and experience, a far more effective
> method is to pay for an independent review by
> security experts. I would rather trust a
> closed source program which has been given a clean
> bill of health by a review team I trust than one
> which has been published on sourceforge.net
You are exactly right. I was sloppy in my statements. By "open source", I
meant reviewed by third parties not involved with the development effort.
These independent experts do not have to be the public at large, but they
should not be the same company that developed the product. You do get what
you pay for, and merely publishing source without ensuring that a proper
review is performed will not accomplish anything.
> Furthermore there is the risk that publishing software
> source code will give more information to the bad guys
> to allow them to design exploits.
I disagree here. Security by obscurity does not work. A closed source
application with many security holes will get abused more than an open
source application with few security holes. If source code is published
(and actually reviewed, as you point out), it will have most security holes
fixed. If a few slip by the experts, they will be fewer than the obvious
holes in some closed source applications. Microsoft has closed-source
software, and its holes are well-known and often exploited.
> Sadly, this is often a greater motivation for
> identifying security holes than an altruistic
> desire to improve the quality of someone else's
> software.
I don't mind this. Instead of relying on altruism to get security comments
back, we can trust that some people will selfishly scrutinize code to find
any minor flaw just to be able to brag about it. This is a more dependable
motivation for free feedback. They will work more diligently for their own
reward rather than for the code owner's benefit.
> The people for whom security is a life and death matter,
> like the military and spy agencies, do not publish their
> internal software as open source. I believe they share
> the belief that doing so is not the optimal way to secure
> their software. They rely on internal reviews, attack
> teams, and closed source.
I have extensive experience in reviewing and testing such classified
software. It is often riddled with obvious design flaws that were
overlooked because there was not enough peer review of the software.
Although the military will never go to the open-source model, they are
increasingly requiring independent review by experts not connected with the
development effort. They are learning that too much closed-door development
actually reduces security.
Your main point about hiring security experts and not just expecting the
public to debug open-source code for free, is exactly right on. Open source
by itself does not guarantee any security. An independent security review
by experts is what is required.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant, Newstaff Inc. <www.Newstaff.com> Board of Directors, Extropy Institute <www.Extropy.org> Cofounder, Pro-Act <www.ProgressAction.org>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:12:10 MST