Sorry, you need to enable JavaScript to visit this website.

Image CAPTCHA
Enter the characters shown in the image.

Can open source be trusted?

Can open source be trusted?
2011-02-012013-04-11securityen
Crowdsourcing software development may be a well-established concept, but it still has its challenges.How much can we trust our open source...
Published February 1, 2011 by Stewart Baines in security

Crowdsourcing software development may be a well-established concept, but it still has its challenges.

In December, the open source world was abuzz when a former contributor to the OpenBSD open source Unix derivative claimed to have inserted back door code that would enable the FBI to monitor encrypted transmissions.Open source developers are now rushing to analyze the code and find out if that's true.

But regardless of the outcome, it raises the question: how much can we trust our open source software?

Open source software permeates the Fortune 500. Whether it's Linux, or open source email management or FTP software, most companies use it somewhere in their infrastructure. The traditional response to security concerns over open source has been that because so many people look at the code, bugs will naturally be weeded out. But how many of those people are trained security researchers? And could they spot security flaws that have been deliberately, rather than unwittingly, embedded in source code?

A recent paper published by the Department of Mathematics at Royal Holloway, University of London, advocates a threat modelling approach to evaluating crowdsourced software. Organisations using open source code should subject it to an evaluation in which real-world threats to the software are enumerated, prioritized, and then mitigated, says Yoav Aner, author of the paper.

Of course, this requires organisations to devote significant resources to quality assessment. Unfortunately, many companies use open source software precisely because it is a cheap and quick way to meet software project deadlines. Nevertheless, if enough companies could be persuaded to make the effort, and to contribute their findings back to the broader open source community, we could drastically improve the quality of open source software - and justify our trust in it. That would doubtless make some of the original advocates of open source, such as Free Software Foundation founder Richard Stallman, very happy.

This post was co-written with my colleague Danny Bradbury.

Add comment

comments

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Email HTML

  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
Image CAPTCHA
Enter the characters shown in the image.
Change the display