Can open source be trusted?
Crowdsourcing software development may be a well-established concept, but it still has its challenges.
In December, the open source world was abuzz when a former contributor to the OpenBSD open source Unix derivative claimed to have inserted back door code that would enable the FBI to monitor encrypted transmissions.Open source developers are now rushing to analyze the code and find out if that's true.
But regardless of the outcome, it raises the question: how much can we trust our open source software?
Open source software permeates the Fortune 500. Whether it's Linux, or open source email management or FTP software, most companies use it somewhere in their infrastructure. The traditional response to security concerns over open source has been that because so many people look at the code, bugs will naturally be weeded out. But how many of those people are trained security researchers? And could they spot security flaws that have been deliberately, rather than unwittingly, embedded in source code?
A recent paper published by the Department of Mathematics at Royal Holloway, University of London, advocates a threat modelling approach to evaluating crowdsourced software. Organisations using open source code should subject it to an evaluation in which real-world threats to the software are enumerated, prioritized, and then mitigated, says Yoav Aner, author of the paper.
Of course, this requires organisations to devote significant resources to quality assessment. Unfortunately, many companies use open source software precisely because it is a cheap and quick way to meet software project deadlines. Nevertheless, if enough companies could be persuaded to make the effort, and to contribute their findings back to the broader open source community, we could drastically improve the quality of open source software - and justify our trust in it. That would doubtless make some of the original advocates of open source, such as Free Software Foundation founder Richard Stallman, very happy.
This post was co-written with my colleague Danny Bradbury.