Open Source Software Security Concerns
Security is Important, and so is Open Source
The list of mission critical systems that are highly reliable and freely developed is impressive. FreeBSD, Linux, SendMail, Gimp, Apache are well known names (to name a few) among e-commerce veterans, start-ups and ISPs, mainly because of their stability and attractive price (free). These products have a acheived a reputation for security that has outstripped their commercial counterparts. How has this happened? Is this reputation deserved? And more to the point can it be maintained? However, some people wonder just how secure these and other “open” systems really are. How can a product whose source code is freely available to anyone who wants it, including people up to no good, be as secure as a product developed in a traditional and highly secret environment? How can secure development take place in an environment where no one is accountable, where the ruling ethos is that “many eyes” are more accountable than a proprietary enterprise?
In recent years, Internet commerce has shown insane popularity and growth. Names such as “Amazon” or “Yahoo” are just as familiar as “McDonalds”. What does this mean to commerce? It means instead of handing out bills and coins, your money is whizzing around on the Net, going straight from system to system without hard currency. A study by the National Automated Clearing House Association has shown that while only 3% of monetary transactions are electronic, 89% of transfered money is electronic. This means that while you may hand over a dollar bill for a coffee every day, you may be transferring a thousand dollars electronically every week.
Physical money is easy to protect. Armored safes, armed guards, and alarm monitoring systems all make keeping hard currency safe an easier job. But when there is no hard currency, what can protect your funds? The answer is computer security, one of the most crucial components of online commerce. And how do we ensure that our computers are secure? Through Open Source, of course!
What is open source again? Geeks, Unix, and long beards all come to mind. But what open source really means is collaboration and good karma. There is a lot more to it than giving away your source code. Open source means people working together for a better product. The development process involves a lot of contributing people, some users, some programmers, constantly testing and fixing the program. They probably all have different motives. Some people may want to use the code for their own projects, and others may just be there for entertainment (these people love to code, remember).
Why open the door?
You’re probably thinking, “No way can a ragtag band of programmers do a better job than a high-paid team of developers from a successful corporation.” That may be true in some cases, but the odds are the open product will be a lot more reliable. There are several reasons for this.
- With an open development model, the source code is available for everyone to scrutinize. No more frustration at bugs or lack of features. If you’ve got the know-how, you can fix things yourself. The same goes for experienced developers from other projects. If a developer is curious about a project in development, he may contribute his expertise.
- The majority of developers work on a project because they want to use it. They’ve got the keys to the car and can can rebuild the engine, if they want. Dirk-Willem van Gulik, a developer of the famous Apache web server, told us: “We are in the unique position to be both the coder and the user. We do not just eat [our own] dog food, we write it and we use it for our own production servers. This fact, that there is no gap between the coder and the user, means that Apache actually does what a webmaster wants it to do. We are the producer and the consumer!”
- A proprietary development shop will have a limited number of developers. A company, depending on its size, may have between a few to a few hundred developers. However, an open source project can involve every single person who uses the product. An average user can contribute just by sending in a bug report. SourceForge, a community website for the development of open source projects, has over 28,000 registered users. This is far above the number of developers any conventional company could employ.
- The software will evolve at lightning speed. Instead of waiting for your programmer to fix the list of bugs you sent him, the bugs will be posted online for millions to see. People from all over the world will send in their fixes all at once. If you are used to the slow pace of conventional software development, this is an astonishing effect
Soon Write and article on ” Open Source vs Closed Source Security ” and ” Open Source Software is less secure than Closed Source Software “