Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Economics of Software Vulnerabilities

From: Kevin.Wall at qwest.com (Wall, Kevin)
Date: Tue, 20 Mar 2007 20:16:08 -0500
James McGovern apparently wrote...


The uprising from customers may already be starting. It is 
called open source. The real question is what is the duty of 
others on this forum to make sure that newly created software 
doesn't suffer from the same problems as the commercial 
closed source stuff...


While I agree that the FOSS movement is an uprising, it:
        1) it's being pushed by "customers" so much as IT developers
        2) the "uprising" isn't so much as being an outcry against
           security as it is against not being able to have the
           desired features implemented in a manner desired.

At least that's how I see it.

With rare exceptions, in general, I do not find that the
open source community is that much more security consciousness
than those producing closed source. Certainly this seems true
if measured in terms of vulnerabilities and we measure "across
the board" (e.g., take a random sampling from SourceForge) and
not just our favorite security-related applications.

Where I _do_ see a remarkable difference is that the open source
community seems to be in general much faster in getting security
patches out once they are informed of a vulnerability. I suspect
that this has to do as much with the lack of bureaucracy in open
source projects as it does the fear of loss of reputation to their
open source colleagues.

However, this is just my gut feeling, so your gut feeling my differ.
(But my 'gut' is probably bigger than yours, so feeling prevails. ;-)
Does anyone have any hard evidence to back up this intuition. I
thought that Ross Anderson had done some research along those lines.

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall at qwest.com Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.
Previous By Date Next
Previous By Thread Next

Current thread: