Information Security Magazine's online portal, points to a study released today by Fortify Software software about the security of open source projects.
From Search Security:
Enterprises often rely on open source software to save development time and money, but they should rely on open source for good security, according to a study released today. The review of 11 popular projects revealed numerous vulnerabilities and a general absence of sound security practices.
* * *
The study discovered thousands of vulnerabilities, including nearly 23,000 cross-site scripting flaws and more than 15,000 SQL injection flaws. Of more concern, perhaps, is that there's little evidence open source projects have made finding and remediating security issues a priority. The number of flaws stayed about the same or even increased through each of three new versions of six of the packages tested. (CRM/groupware Hipergate had by far the most issues, more than 14,000.) [From Open source projects fall short on security]
Linus Torvalds doesn't think that security issues are any more important than other bugs. I think that attitude is reflected in results like these. The vulnerabilities in the study were located via an automated scanner then verified by hand. These are the types of bugs that an attacker can find with minimal effort.
With proprietary software, massive vulnerability such as this would express its urgency in the stock price, forcing management to expedite patching. At Microsoft, the security team has the power to stop software from shipping if there are significant vulnerabilities that put their customers at risk.
In open source software, bug fixes are prioritized according to the interests of charismatic leaders instead of being driven be the needs of the end user. Linus is, in effect, making Steve Balmer's case for him.
The full text of the study can be found here.
This is silly. Comparing a web application with a cross-site scripting issue to Kernel is absurd and a completely bogus analogy.
As for Linus' attitude towards security: (a) Linus doesn't write-the-kernel, dozens of people do, so Linus' attitude hardly represents the community of kernel developers as a whole, and (b) Linus is write. A security bug isn't anyworse than a crasher; who cares if an unusable system has security issues?
"The study discovered thousands of vulnerabilities, including nearly 23,000 cross-site scripting flaws and more than 15,000 SQL injection flaws"
So all this relates to web applications? It has nothing to do with Linus or even LINUX. LINUX is an OS. And there are lots of non-web Open Source applications.
Posted by: Adam Tauno Williams | 07/21/2008 at 10:33 PM
My criticism isn't about the software itself or the nature of the bug, but the lax attitude that many open source projects take towards security; both the kernel and web-based applications are developed and managed using a similar model.
Though Linus is a genius, I think he's absolutely wrong about security not being any more important than other bigs. The key difference between a security bug and a crasher is that applications with security issues absolutely will make their way into enterprise environments, whereas crashing software cannot.
Posted by: Don Ankney | 07/22/2008 at 01:41 AM