Linux guru warns on security of open-source code

Alan Cox, one of the most respected figures in the U.K. open-source community, has warned about complacency over the security of open-source projects.

Speaking to delegates at London's LinuxWorld conference on Wednesday, he emphasized that considerable sums of money were being spent in attempting to hack into open-source systems.

And he cautioned that many open-source projects were far from secure.

Alan Cox
Linux developer

"There is a lot of money going into security, but the situation is worse, because there is a lot of money going into breaking security. People are being paid to work breaking down software systems," Cox, who is employed by Linux seller Red Hat, told delegates.

"Things appear in the media, like 'open-source software is more secure, more reliable and there are less bugs.' Those are very dangerous statements," Cox said.

Cox said that analysis looks only at well-known projects. An analysis of 150 projects from SourceForge, a repository for open-source code, would not result in the same high marks that the Linux kernel would get, he noted. "High-quality only applies to some projects--those with good code review and those with good authors," Cox said.

"The debate of Microsoft saying 'Look how secure we are' versus Linux saying 'We're more secure' is not looking at the important points," he added.

Cox, who has been closely involved with the development of the Linux kernel for many years, also took the opportunity to take a swing at a newly launched project that promises to measure the quality of open-source code.

The Software Quality Observatory for Open Source Software (SQO-OSS), funded by the European Commission, was launched on Monday. Cox told delegates that metrics must not become targets.

"It is good to build metrics, and SQO-OSS has great potential," he said. "But there are problems with this, and there are risks associated with that kind of methodology.

"If you are working with metrics and you have 14 bugs, you fix the 13 easy ones, and the one hard one can wait. That happens in the security world, but it becomes inefficient."

Richard Thurston reported for ZDNet UK in London.

more eyes are better than fewer...

...good points in the article, but transparency into the code and the surrounding processes can only increase security. For proprietary vendors, one can only hope that their processes for vetting developers and code are both sound and adhered to.

[chill633]

...sometimes

Open source only makes more eyes possible, but doesn't mean they are necessarily doing it. Can you read Swahili? Neither can I, and that is what source code looks like to a lot of people. Lots of eyes mean nothing if those eyes don't belong to people who have the necessary skillset.

Many people who can code don't have the necessary skills to write or check secure code.

The "many eyes" theory can lead to a false sense of security.

Many eyes increase potential, but don't necessarily reflect reality. Don't get me wrong, it is a plus, but it isn't a guarantee of quality or security.

[herby67]

Define better

At finding bugs? Likely.
At fixing them? Probably.
At reporting them responsibly? Unlikely.

In OSS hackers have the source code to their advantage, and they can find bugs and develop exploits with more ease than in closed source products.
Yes, if there were millions of eyes looking at a single piece of code, most bugs would be discovered several times, and more likely than not, at least one of them would do the right thing. But as more code is written, more projects are OSS and programs become more complex, with te number of programmers holding steady, that means less eyeballs per line of code, less peer review. In closed source, the ratio is fixed by the company's policies. More code means more eyes.
And the fact is, if you look at the per project statistics, OSS has more bugs REPORTED than in closed source. Given what I just explained, it is likely that the number of bugs being discovered is even more skewed towards OSS. OSS has the saving grace of being more heterogeneous and less widely distributed so exploits are difficult to apply in mass. But as OSS grows that might stop being an advantage, so in order to continue being secure OSS will need to raise the quality bar well above closed source products. And that's something that's easier said than done.

[rapier1]

not so

The idea that "many eyes makes all bugs shallow" is well known but it turns out not to be entirely true. Many bugs still exist and exploits continue to be found. The validity of the statement really depends on the kind of people a project gathers around it. A bunch of people intent on making the next hip cool file sharing tool might not be as concerned about security as say... the openssh people.

[justanotherposter]

Security is not in the eyes it's in the skills

There are millions of developers in the world today that write code for any number of products.

99.999 percent of these have little to no security training, knowledge or experience to do security code reviews or for that matter even know what to look for or what to do with it if they found it.

They have enough issues just trying to develop, employ and maintain good application development practices, security notwithstanding.

Outside of personal reasons (goals - fame) there is not much motivation and no consequences to them personally or financially if they do not do security code reviews or even tell anyone about it.

Code reviews are very hard, long, arduous and boring.

Coders like writing the next cool widget with no concern for anything else; only when they can be forced to employ secure coding practices and when they are held personally accountable (when their job is on the line) or they really going to do this (and sometimes they will still try and skate by here).

This even depends on if the company follows through with absolute disciplinary actions when proper practices, as established are not followed.

Colleges and universities, even today (in the past it was completely non-existant), do not have a solid curriculum / offering for programmers regarding secure coding practices. Those that do, it has only been a recent cursory offering and not a required part of the degree program; it?s an elective.

Unless your degree concentration is in security, you are 99.999 percent most likely not to get it.
Our educational systems, is failing miserably at this as well as many other areas. Expecting an individual programmer type to go down this path is a personal commitment at a very individual level and most developers, just don?t care, the comment ?we don?t have time for this?, is very common.

If the company and development staff is not seriously interested in security and holding their project/product/line managers and development staff fully accountable, inclusively providing them training, re-evaluating their skills, and updating their skills, then the whole point is moot.

Security is very complicated and requires dedication, persistence and a manic concentration on the topic.

Security is also very expensive on both sides of the coin. Doing it is going to cost you a lot of time, effort and money, not doing it is going to cost you a lot of time effort money and embarrassment.

Most workers only care about doing only what they have to do to keep their jobs and getting paid (and those bonuses)not necessarily about getting it right. Most companies only care about getting the least costly workers and selling the product or service at the highest profit margins.

(Don?t think that just because someone gives you something for free, that they are not going to make sure they make up the difference in service offerings and other incidentals.)

How many of you spend the extra time to master this skill set if it is not your job?

How many off you try to master this skill set, on your own time, regardless of whether it?s your job or not?

How many of you regularly update your security skill set?


How much money, time and effort are you willing to invest, outside of your job, taking time away from your family, friends and other facets of your life to do this, when you are not getting paid fot it?


How much personal (non-reimbursable) money, time (evenings, weekends, vacation) and effort are you will to lose for you to be able to do the right things regarding security period?

How many developers even take the effort to master an understanding of the underlying OS, Network backbone, IA policies, penetration testing, firewall intricacies, cryptology, PKI, data protection and the like, to make sure their development process and products are in line?

How many developers/network engineers understand and employ / maimtain proper business and use case modeling, white box and black box testing, threat modeling and data flow diagrams, as well as security governance (law)?

As you can see from the question list, no one person can do this (not even thousand, millions, etc? of individuals); it?s a team responsible effort, not an individual one.

So, the more eyes are meaningless, unless they are part of a team of organized, dedicated, educated, skilled professionals who would do this every day. Regardless of the next cool thingy on the table.

[cyberposium12]

Google increasingly promoting open source

Security should be even more of a concern considering that a number of large companies (IBM, Google to name a couple) have been getting more supportive of open source recently.
Google even paid college students to spend their summer contributing to an open source project (Summer of Code).

Chris DiBona, Open Source Programs Manager at Google will be speaking at Harvard Business School's technology conference, Cyberposium, on Nov 11. If you're interested in where Google's going next, you may want to check it out at www.cyberposium.com.

[Ted Miller]

We are the losers!

Concerning the comment: "There is a lot of money going into security, but the situation is worse, because there is a lot of money going into breaking security. People are being paid to work breaking down software systems," I would like to know just who's money are we talking about here?
Microsoft?? Apple?? What I read into all this is that the hackers are no longer bored kids on vacation with nothing better to do, but are now big greedy selfish slobby corporate snobs who step all over each other and we the little users get crushed. This is truly sad and I would love to see a goverment investagation into this matter before computer become useless as an eight track player.

[qwerty75]

re

There are many software security firms. This is a very good thing. The more bugs get found, the more then can be fixed. It is sad that the situation requires professional security firms, but it is a fact of life.

The reasons for the security issue are numerous. First on the list is the poor practice of hiring self-taught, barely certified in the basics of a language people. These people have no understanding of the practical and theoretical underpinnings of computers and programming languages. Nor do they have specialized knowledge of security practices.

The sad fact is that many computer science programs don't stress security very hard, or not at all. They are concerned with the algorithmic, and mathematical side of things. Those are good things to learn as it makes for good programmers. Happily, security is becoming a strong emphasis in CS programs across the country. So the situation will get better over time, as more and more CS grads are loosed on the world with a solid understanding of how to avoid, find and fix security problems.

Knowledge of secure coding practices and using them is what makes a great programmer.

Worst of all is the proliferation of greedy businessmen and bean-counters in the industry. They push for fast releases and care only if it works as advertised. There are far too many idiots with MB A's(is there any other kind of MBA holder?) with absolutely no knowledge of software engineering making decisions that affect the product in severely negative ways,

In my CS program, I take advantage of every security class available, and am specializing in network security.

My dream job will be to get paid to find and FIX others flaws. I believe it is a noble course to take and will improve computing for everyone. Which in the end is why I started this challenging program.

[sys6656]

Not a smart comment !

Time to retort.

1) Kind of a silly comment that Mr.Cox said.. isn't it? All Security / PC Techs know that there is "no" 100% secure software out there, or any software that won't end up on the Hacker's plate. So I do not know why Mr. Cox would even bring this up to Open Source crowd.

2) It really doesn't matter why or how the comment was made, it "does" make Linux, "all distro's" look bad to the unknowing users that read that. Even Red Hat gets a shot in the foot with his comment.

My 2 Cents.
sys6656

[sys6656]

Not a smart comment !

Time to retort.

1) Kind of a silly comment that Mr.Cox said.. isn't it? All Security / PC Techs know that there is "no" 100% secure software out there, or any software that won't end up on the Hacker's plate. So I do not know why Mr. Cox would even bring this up to Open Source crowd.

2) It really doesn't matter why or how the comment was made, it "does" make Linux, "all distro's" look bad to the unknowing users that read that. Even Red Hat gets a shot in the foot with his comment.

My 2 Cents.
sys6656

[qwerty75]

re

Just because there is no 100% secure software(at least no non-trivial programs), doesn't mean that it should not be attempted and there should always be an eye on security.

He brought it up because many projects on SourceForge are not pulling their weight in terms of security. Security is something that should be shoved down every programmers throat.

Keeping security concerns on the front burner is a benefit to everyone.

Trying to distract others away from security is one reason why MS is a security nightmare. They still don't attack it head on in a realistic manner.

His comments are not only valid, but should be voiced, and often.

The fact that Linux needs no AV or AS software to run securely speaks louder to potential end-users then comments that are over their head to begin with.

[sys6656]

Security

Computer Security is not get better. The real reasons for this is MS disregard for security in the first place. The 2nd is companies not properly training the employees with basic "compusec". Some users just don't want to learn.
The other reason is Tech and IT employees that have tons of computer certs (Another MS invention) but no "real" first hand experience working on LAN / WAN .

[justanotherposter]

This is about OpenSource reailty check / and an industry one... PERIOD

How did this turn into a MS rant. Mr. Cox is specifically addressing the Open Source community and something we all need to address, vendor notwithstanding.

And there have been tons of cert well before MS went at it, can we say Banyan, Novel, et all.
Since every other vendor uses them, and corporate america and government requires them, get over it, they are here to stay. Whether a individuals agree with them or not, it just does not matter. They are the litmus test just to get IT jobs these days.

There are a great number of people without them that can do the job but not pass the test and vice versa. There are alos tons who can do both. TO use a blanket statement is just absolutly wrong, there are always exceptions to the rules.

You cannot (in a business setting) get first hand experience until you get a job in whatever you are after, and in a lot of situations you cannot get a job unless you have college degree and the additional certs. A great number of IT companies wil not even look at you if you do not hold a masters degree, regarless of your experience or certification level. So if we are going to address paper let's address it all. I know a great number of people with no college or Associate Degrees that can and do run circles around folks with BA and MS degrees, because these guys are been in the field while the others are just getting out of school. But that dose not matter they have the higher paper and the others do not.

Lastly back to the topic of the author, it's a wakeup call / statment to the Open Source community and should be the same for our educational institutions who keep pumping out the IT Degrees in whatever discipline with no focused security curriculum required as part of it.

The overall source of this problem is education and commitment(product, vendor, community, individual), not just some vender or product.

As part of the IT industry, we should care less what the other side is doing and just make sure we are all doing the right things around all things necessary.

Stick to the topic, how the Open Source community needs to self check, which is the authors point and leave the 'what other vendors are doing or not doing' soapbox out of it.

[justanotherposter]

Security is not in the eyes it's in the skills

There are millions of developers in the world today that write code for any number of products.

There are millions of IT pros and management who implement and support infrastructures with no real full understanding or commitment to security.

99.999 percent of these have little to no security training, knowledge or experience to do security code reviews, or security penatration testing, or security audits, or for that matter even know what to look for or what to do with it if they found it.

They have enough issues just trying to develop, employ and maintain good application development practices, and network infrastructures, security notwithstanding. Yet this is still no excuse.

Outside of personal reasons (goals - fame) there is not much motivation and no consequences to them personally or financially if they do not do security code reviews / penatration testing / security audits or even tell anyone about it (the need for it to be done).

Code reviews are very hard, long, arduous and boring. the same holds true for security audits.

Coders like writing the next cool widget with no concern for anything else; only when they can be forced to employ secure coding practices and when they are held personally accountable (when their job is on the line) or they really going to do this (and sometimes they will still try and skate by here). And engineers just care about getting there five 9's in their uptime report (not necessarily a bad thing but without security, who cares if the system is up 100% of the time, if the whole thing is compromised and no one knows about it).

This even depends on if the company follows through with absolute disciplinary actions when proper practices, as established are not followed.

Colleges and universities, even today (in the past it was completely non-existant), do not have a solid curriculum / offering for programmers regarding secure coding practices. Those that do, it has only been a recent cursory offering and not a required part of the degree program; it?s an elective.

Unless your degree concentration is in security, you are 99.999 percent most likely not to get it.
Our educational systems, is failing miserably at this as well as many other areas. Expecting an individual programmer type to go down this path is a personal commitment at a very individual level and most developers, just don?t care, the comment ?we don?t have time for this?, is very common.

If the company and development staff is not seriously interested in security and holding their project/product/line managers and development staff fully accountable, inclusively providing them training, re-evaluating their skills, and updating their skills, then the whole point is moot.

Security is very complicated and requires dedication, persistence and a manic concentration on the topic.

Security is also very expensive on both sides of the coin. Doing it is going to cost you a lot of time, effort and money, not doing it is going to cost you a lot of time effort money and embarrassment.

Most workers only care about doing only what they have to do to keep their jobs and getting paid (and those bonuses)not necessarily about getting it right. Most companies only care about getting the least costly workers and selling the product or service at the highest profit margins.

(Don?t think that just because someone gives you something for free, that they are not going to make sure they make up the difference in service offerings and other incidentals.)

How many of you spend the extra time to master this skill set if it is not your job?

How many off you try to master this skill set, on your own time, regardless of whether it?s your job or not?

How many of you regularly update your security skill set?


How much money, time and effort are you willing to invest, outside of your job, taking time away from your family, friends and other facets of your life to do this, when you are not getting paid fot it?


How much personal (non-reimbursable) money, time (evenings, weekends, vacation) and effort are you will to lose for you to be able to do the right things regarding security period?

How many developers even take the effort to master an understanding of the underlying OS, Network backbone, IA policies, penetration testing, firewall intricacies, cryptology, PKI, data protection and the like, to make sure their development process and products are in line?

How many developers/network engineers understand and employ / maimtain proper business and use case modeling, white box and black box testing, threat modeling and data flow diagrams, as well as security governance (law)?

As you can see from the question list, no one person can do this (not even thousand, millions, etc? of individuals); it?s a team responsible effort, not an individual one.

So, the more eyes are meaningless, unless they are part of a team of organized, dedicated, educated, skilled professionals who would do this every day. Regardless of the next cool thingy on the table.