Comments on: Open-source misperceptions live on

An Election Technology Council white paper reminds us that there are still a lot of misunderstandings about open source outside of a tech-savvy audience.

[sythara]

Great article

[pentest]

Nicely done.

To go further, code review will find some vulnerabilities, but you will never exploit it based on source code. If you don't use the exact compiler and flags, your executable may be too different than what is running on a target to properly exploit.

Most vulnerabilities these days are found via fuzzing or disassemblers, not reading through source code.

[mbenedict]

As a security professional, the biggest problem I see with most open-source projects is the lack of formal security design, review, and testing as part of the project's normal development lifecycle.

Without proper processes in place, security is only based on "hope" that someone from this "nebulous community" will notice a vulnerability. That's simply not a good approach. We keep plugging the same holes over and over again because security was never considered as part of the program's original design.

I don't want to single out particular open-source companies, but let's just say the kinds of continued security breaches we're seeing in many "content management systems" is just mind-boggling and inexcusable. These companies should spend some of their revenue dollars towards improving security rather than leaving their customers (and their community) vulnerable.

[ghaff]

Yes, although that's basically a comment on ad hoc development in general as opposed to open source. There's certainly a correlation between the two--given that so many casual/hobbyist/etc. development projects these days are open source--but it's in no way inherent to open source. Based on looking at open source CMS a couple of years back I can imagine that being a particular problem; it's an incredibly littered landscape with a lot of forked and semi-abandoned projects. (But there are also commercial entities such as Alfresco.)

[vikinzer]

This goes back to the comment made in the article about open source circa 1997. No one in their right mind would deploy a community only open source project in an environment that requires security. You mention specific companies. This is a case of a company producing a poor product. It is the same situation Microsoft had back in the 90's when I could sneeze on their operating system and find a hole in it. That was a closed source situation. This phenomenon has nothing to do with open or closed source. If you are looking at the companies that have built a strong reputation for themselves such as Red Hat, Novell, MySQL(Sun), you see that the development model is neutral in terms of security.

A perfect example of this is Firefox and IE. Firefox has it's share of security problems. I will not say it is more secure than IE inherently. However, IE languished in security squalor for years because Microsoft had so much market share they felt no need to work on the product. Then along comes Firefox, which brands itself as much more secure. In fact it wasn't but no one had written malware for it. Microsoft gets off their behind and patched up IE. It's still not perfect, but it's much improved. Once equillibrium was met we started seeing holes in Firefox, but they were patched very quickly. We still occasionally see Microsoft patch a hole that affects IE going back several full version points. That means the hole has languished un-noticed and un-touched. This is a perfect example of how closed source has it's security problems from lack of oversight from the customer. You're complaint about "open source" having problems because of lack of organization within a "nebulous community" is left void by the fact that you then turn around and point to companies with products. That is the same situation as IE 6. Poor motivation and security processes in a company. Either due to lack of expertise, or lack of motivation.