ownCloud most secure open source file sync and share - yeah, right...
... according to a blog by our security guy. Yeah, look who's talking, but I think it is, in general, an interesting blog. He attacks the simple view of just looking at the number of security advisories and drawing conclusions from that:
"Many vendors tend to not disclose their security problems which makes them look better if one simply looks at factors such as amounts of the advisories."
"If we’d stop putting so much effort into finding and fixing security problems, which would decrease the number of advisories, ownCloud wouldn’t necessarily become more secure."
He uses some decent math to make his point and I think this can be informative about other projects, too.
Find his blog here.
In IT Land, we all should know and expect vulnerabilities in every application we use. It is good to see some companies being up front about it, and not threatening security researchers with legal action like some other companies... cough Oracle cough.
You guys make a great system! Keep up the good work!
I have thought that if you want secure, you have it encased in concrete, with layers of 2" thick plates of steel and then buried at the bottom of a volcano...
Otherwise.. anyone who wants it bad enough will go after it.
Thanks, very interesting.
@gjacobse yeah, entirely safe is not possible. And of course, large companies (think of Dropbox, Google etc) have huge numbers of security people and tools and I bet they create very secure software. Thing is, as you say, entirely safe is not possible and these big boys are very interesting targets while your ownCloud running on your private server isn't... So in practice, decentralization might still be the better option. Everything can be hacked but you're a lot less interesting on your own little server than together with everybody else
Plus open source adds the potential for more eyeballs on the code, better audits, more review, etc.
Yup, our security guy is a big believer in "Linus' law": "many eyeballs make all bugs shallow" or something like that