Linked by Thom Holwerda on Thu 26th Oct 2006 21:05 UTC
Privacy, Security, Encryption Alan Cox, one of the most respected figures in the UK open source community, has warned of complacency over the security of open source projects. Speaking to delegates at London's LinuxWorld conference on Wednesday, he emphasised that considerable sums of money were being spent to try and hack into open source systems. And he cautioned that many open source projects were far from secure. "Things appear in the media like open source software is more secure, more reliable and there are less bugs. Those are very dangerous statements," Cox said. My take: Agree wholeheartedly. Security complacency, often seen in OSNews' comments sections, is very, very dangerous.
Thread beginning with comment 176166
To read all comments associated with this story, please click here.
Here's my take on this....
by Phloptical on Fri 27th Oct 2006 23:14 UTC
Phloptical
Member since:
2006-10-10

And I'm sure you all will correct me if I'm wrong, but this is the thing.

It is my opinion that any open source software has the potential to be exponentially more secure than any closed source code. I think of it in terms of numbers...there will be far more developers looking to create/debug/fix code than people looking to hack it. Also, open source code isn't looking to attract sales dollars. So there's no push to make aggressive deadlines because of the commitment to the bottom line. When that happens, I believe that's when the buggy code gets released.

When you have closed source code, there's a finite number of individuals involved in the programming and they are being pushed by upper management to create so they can sell. There's a commitment to quality, but I'll tell you from a manufacturing background that when push gets to shove quality will take a backseat more often than not. Comparing to the open source community, closed source code only has users who have paid for the software and are expecting it to perform a certain way. There's no community trying to make things better, and when the code gets released to the public the parent company disbands the majority of the original group of developers to have them work on other projects.

So that's the schpeel. Long story short, the benefits of open source should outweigh the liability of allowing everyone access to the raw code.

Reply Score: 1

RE: Here's my take on this....
by Larz on Sat 28th Oct 2006 12:40 in reply to "Here's my take on this...."
Larz Member since:
2006-01-04

It is my opinion that any open source software has the potential to be exponentially more secure than any closed source code.

There are certainly very secure proprietary systems, such as many mission (and life) critical systems. So I donīt think that any open source project can be exponentially more secure than proprietary ones - but on average they have the potential to be more secure.

There's a commitment to quality, but I'll tell you from a manufacturing background that when push gets to shove quality will take a backseat more often than not.

Well, if security & quality is important enough to customers, proprietary software can be very secure too. But I admit, that this is to seldom not the case.

As for open source projects, the critical factor, is that the project can attract the necessary community to be able to realize the effect of "many eyes" (many of the popular high-interest OSS projects, has certainly attracted the right crowd of security-conscious people).

I donīt disagree, that OSS can be very secure (and often it is). But the most secure proprietary systems can compete with the most secure OSS projects.

Rather than seeing OSS as the only way to develop very secure software, I see the advantage in OSS, that it increases the likelihood of the product being developed in a secure fashion.

That alone is a very good reason to push OSS. But there is no deterministic relationship between development model and security level.

Reply Parent Score: 2

Phloptical Member since:
2006-10-10

I agree with you and see your point on secure proprietary systems having the potential of being as secure as OSS. Maybe using the term "exponentially" wasn't quite right. But I saw it as OSS isn't looking to turn a buck, therefore the community surrounding it should be more open to produce the best product they can since it is really their names and reputations on the line when developing for the product. I also agree with another poster in one of the above posts that "secure" software is only one piece of the security spectrum.

I suppose I really see OSS as the ultimate push for development of ideas and innovation. Like Mozilla Firefox forced MS to release a better product in IE (regardless of which brand you wave the flag for). And like the emergence/dominance of foreign cars in America that forced the domestic companies to produce a better product. As long as you have OSS on equal footing with pay services, or software; the product should only get better. It's competiton that drives innovation, because innovation is usually expensive. Innovation is typically better for the consumer.

I do think OSS still has the ability of being more adept at incorporating new ideas and change, either for security sake or any other part of the overall system. And it's that speed and ability to change quickly that would make it much more of a viable alternative to any propretary system.

Reply Parent Score: 1