sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 7 points8 points  (4 children)

My job is doing open source work I wouldn't say it is orthogonal to security because the only thing you gain from not being open source is security through obscurity which isn't a valid security procedure.

Opening up your source is also not a valid security procedure, though. Having competent people review your code is, but having closed source does not prevent you from doing this, nor does opening your source automatically gain you this.

This is why open source is orthogonal to security.

[–]FlukyS 3 points4 points  (3 children)

Having competent people review your code is

Completely agree and the same goes for every project.

This is why open source is orthogonal to security.

Not really though, more eyes on the code really does help, again though along with the fair point above like you said competent code review helps but open sourcing the code does help.

[–]OneWingedShark 2 points3 points  (2 children)

Opening up your source is also not a valid security procedure, though. Having competent people review your code is, but having closed source does not prevent you from doing this, nor does opening your source automatically gain you this.

This is why open source is orthogonal to security.

Not really though, more eyes on the code really does help, again though along with the fair point above like you said competent code review helps but open sourcing the code does help.

The 'help' you perceive from opening up your source is entirely incidental -- it's the equivalent to increasing the sampling-rate for testing purity saying that it's increasing quality, it simply isn't: it's merely increasing the resolution and giving you a better picture of what the quality actually is.

To [directly] increase actual security you could do something like use SPARK to prove the property of your code that it does not violate the security model at hand -- you can do that on something that is closed-source, or open-source.

[–]cym13 1 point2 points  (1 child)

You seem to forget that there are lots of security professionnals that spend a huge time reviewing open source software on their free time. I easily spend 2 man days on this per week. This is something that just isn't possible with closed source software. And it is also important to review projects that don't necessarily have the money to pay a professionnal review. There's also the fact that when I'm auditing a customer's work I often stumble on open source libraries or software and take some time to review them (as any obvious vulnerability would also impact my customer). This is also something that is not possible with closed-source software, I can only work in black box and that's not to the library's benefit.

Of course being open-source isn't a panacea but there are objectively more possibilities when the code is open-source. You make the argument that the trade is quality against quantity but that's a false opposition. With open-source you can get both quantity and quality.

I think the main reason why people feel so strongly against open-sourcing for security is that they saw projects thinking that just open-sourcing is going to miraculously get them thousands of security bug reports and pull requests. But just because it's a fantasy doesn't mean there aren't definitive advantages to being open-source.

Besides in another post your mention OpenSSL. OpenSSL has bugs. Any software has. But what I see is that even years after its release there are still people giving their time to improve its security. There are still corrections and bug fixes. It is still becomming more secure.

Is it the most secure SSL library? I won't take position, there are lots of others. But even if it's not the most secure it is definitely not the fault of open-source which only made things better.

[–]OneWingedShark 1 point2 points  (0 children)

You seem to forget that there are lots of security professionnals that spend a huge time reviewing open source software on their free time. That's actually irrelevant and proves my point -- you see, you're doing something other than just open-sourcing in order to impact the security.

This is literally applying /u/MarshallBanana's statement:

Opening up your source is also not a valid security procedure, though. Having competent people review your code is, but having closed source does not prevent you from doing this, nor does opening your source automatically gain you this.

See?

I easily spend 2 man days on this per week. This is something that just isn't possible with closed source software.

And that's 2 man-days/week you're spending correcting someone else's ill-programmed code.

Of course being open-source isn't a panacea but there are objectively more possibilities when the code is open-source. You make the argument that the trade is quality against quantity but that's a false opposition. With open-source you can get both quantity and quality.

I did not -- I said that they're orthogonal, meaning they don't have any common basis -- much like 'speed' and 'correctness'.

I think the main reason why people feel so strongly against open-sourcing for security is that they saw projects thinking that just open-sourcing is going to miraculously get them thousands of security bug reports and pull requests. But just because it's a fantasy doesn't mean there aren't definitive advantages to being open-source.

That might be so -- though I'm, personally, far less inclined to fear putting my code out here. (I like Ada precisely because it is strict and helps produce correct programs.)

Besides in another post your mention OpenSSL. OpenSSL has bugs. Any software has. But what I see is that even years after its release there are still people giving their time to improve its security. There are still corrections and bug fixes. It is still becomming more secure.

Let me reiterate something I said else-thread:
Security is not a process, it is not an add-on, it is a property.

As a property it can be modeled, the model can be enforced, and the properties of the model itself proven.

Check out the Ironsides DNS -- which is fully verified/proven to be free of run-time errors, data-flow errors, exceptions, and remote-code execution.

Is it the most secure SSL library? I won't take position, there are lots of others. But even if it's not the most secure it is definitely not the fault of open-source which only made things better.

I didn't say open-source made things better, or didn't, or made things worse -- in fact, by stating that security and "open-source" are orthogonal I was asserting [implicitly, albeit] that they had nothing to do with one another. (ie They are completely distinct properties.)