Does Shellshock Suggest that Many Eyes Do Not See Errors
-
-
@StrongBad said:
http://www.infoworld.com/article/2689233/security/shellshock-proves-open-source-many-eyes-wrong.html
I have always agreed with this for the simple reason that just because something CAN happen, it does not mean it WILL happen. Just as the author stated.
Open source could potentially be way more secure, but it simply is not because no one wants to spend that much time analyzing it.
-
@JaredBusch Same could be said about closed source. Open source everyone has the option to look at, closed source only a few people do. If they are not very good at it or don't care, then we are really in tough shape.
Every risk associated with open source comes with closed source too. But the risks of closed source are unique.
-
What if Microsoft hired a rouge employee as a programmer? Who's to say he's be caught?
-
Bottom line, code is complex and things will be missed. Will be, always. The question is, what is the best method to expose and fix them.
Open source, in theory, finds bugs faster. Who knows how many holes exist in Windows XP that either have no been found yet or have not been announced yet? Just because the code is closed does not mean that they are not there still. Open Source makes the news for having bugs. Closed source does not since the code cannot be shown. That the exposures are high profile is the nature of not being able to hid anything. Nothing suggests that it is less secure and the rapidity with which the holes are patched speaks volumes to the process.
-
@thecreativeone91 said:
What if Microsoft hired a rouge employee as a programmer? Who's to say he's be caught?
Nothing - beyond all of the existing security precautions which are pretty extreme. But what if Oracle hired a rogue programmer to do that to Microsoft's code? What is to say that he would be caught.
Like I said... ALL risks to open source apply equally to closed source. But the risks of closed source are unique.
-
@scottalanmiller said:
Every risk associated with open source comes with closed source too. But the risks of closed source are unique.
I quite agree with you on that. But the point the author was making, and the point that I agree with, is that just because open source CAN be more secure, does not mean it IS.
There are many, many people int he IT community that vocally believe that open source is simply more secure because it is open source and that is simply not true.
It is true that open source has the potential to be more secure.
-
@JaredBusch said:
I quite agree with you on that. But the point the author was making, and the point that I agree with, is that just because open source CAN be more secure, does not mean it IS.
Of course. Any given piece of code stands on its own. What's important is that we can't make one more or less secure, we can only encourage security. Closed source discourages security, but that can be overcome. Open source encourages security, but that can be overcome.
We can't stop someone "overcoming" but we can encourage the best result. That's the only difference that we can make.
-
@JaredBusch said:
There are many, many people int he IT community that vocally believe that open source is simply more secure because it is open source and that is simply not true.
As far as "all things being equal" is possible, I believe that this is true. The problem is is that most people then take that statement and use it to mean that "all" open source code is safer than "all" closed code even of two different projects which is completely senseless and has nothing to do with the situation.
It is if you took the same people and the same project and the same attempt over and over again one open and one closed that the open would win.
When choosing a process, you choose open for security.
