Open-source software security
   HOME

TheInfoList



Click Here for Items Related To - Open-source software security
OR:
Open-source software security on:   [Wikipedia]   [Google]   [Amazon]

Open-source software security is the measure of assurance or guarantee in the freedom from danger and risk inherent to an
open-source software Open-source software (OSS) is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose. Op ...
system.


Implementation debate


Benefits

*
Proprietary software Proprietary software is software that is deemed within the free and open-source software to be non-free because its creator, publisher, or other rightsholder or rightsholder partner exercises a legal monopoly afforded by modern copyright and int ...
forces the user to accept the level of security that the software vendor is willing to deliver and to accept the rate that patches and updates are released. * It is assumed that any compiler that is used creates code that can be trusted, but it has been demonstrated by
Ken Thompson Kenneth Lane Thompson (born February 4, 1943) is an American pioneer of computer science. Thompson worked at Bell Labs for most of his career where he designed and implemented the original Unix operating system. He also invented the B programmi ...
that a compiler can be subverted using a
compiler backdoor A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. a home router), or its embodiment (e.g. part of a cryptosystem, algorithm, chipset, or even a "homunculus co ...
to create faulty executables that are unwittingly produced by a well-intentioned developer.Witten, B., Landwehr, C., & Caloyannides, M. (2001, September/October). Does Open Source Improve System Security? ''IEEE Software'', 57–61. Retrieved 5 May 2008, from Computer Database. With access to the source code for the compiler, the developer has at least the ability to discover if there is any mal-intention. *
Kerckhoffs' principle Kerckhoffs's principle (also called Kerckhoffs's desideratum, assumption, axiom, doctrine or law) of cryptography was stated by Dutch-born cryptographer Auguste Kerckhoffs in the 19th century. The principle holds that a cryptosystem should be ...
is based on the idea that an enemy can steal a secure military system and not be able to compromise the information. His ideas were the basis for many modern security practices, and followed that
security through obscurity Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. History An early opponent of security through ob ...
is a bad practice.


Drawbacks

* Simply making source code available does not guarantee review. An example of this occurring is when
Marcus Ranum Marcus, Markus, Márkus or Mărcuș may refer to: * Marcus (name), a masculine given name * Marcus (praenomen), a Roman personal name Places * Marcus, a Asteroid belt, main belt asteroid, also known as List of minor planets: 369001–370000#088, ( ...
, an expert on security system design and implementation, released his first public firewall toolkit. At one time, there were over 2,000 sites using his toolkit, but only 10 people gave him any feedback or patches. * Having a large amount of eyes reviewing code can "lull a user into a false sense of security". Having many users look at source code does not guarantee that security flaws will be found and fixed.


Metrics and models

There are a variety of models and metrics to measure the security of a system. These are a few methods that can be used to measure the security of software systems.


Number of days between vulnerabilities

It is argued that a system is most vulnerable after a potential vulnerability is discovered, but before a patch is created. By measuring the number of days between the vulnerability and when the vulnerability is fixed, a basis can be determined on the security of the system. There are a few caveats to such an approach: not every vulnerability is equally bad, and fixing a lot of bugs quickly might not be better than only finding a few and taking a little bit longer to fix them, taking into account the operating system, or the effectiveness of the fix.


Poisson process

The
Poisson process In probability, statistics and related fields, a Poisson point process is a type of random mathematical object that consists of points randomly located on a mathematical space with the essential feature that the points occur independently of one ...
can be used to measure the rates at which different people find security flaws between open and closed source software. The process can be broken down by the number of volunteers Nv and paid reviewers Np. The rates at which volunteers find a flaw is measured by λv and the rate that paid reviewers find a flaw is measured by λp. The expected time that a volunteer group is expected to find a flaw is 1/(Nv λv) and the expected time that a paid group is expected to find a flaw is 1/(Np λp).


Morningstar model

By comparing a large variety of open source and closed source projects a star system could be used to analyze the security of the project similar to how
Morningstar, Inc. Morningstar, Inc. is an American financial services firm headquartered in Chicago, Illinois and was founded by Joe Mansueto in 1984. It provides an array of investment research and investment management services. With operations in 29 countries, ...
rates mutual funds. With a large enough data set, statistics could be used to measure the overall effectiveness of one group over the other. An example of such as system is as follows:Peterson, G. (6 May 2008)
Stalking the right software security metric
Retrieved 18 May 2008, from Raindrop. * 1 Star: Many security vulnerabilities. * 2 Stars: Reliability issues. * 3 Stars: Follows best security practices. * 4 Stars: Documented secure development process. * 5 Stars: Passed independent security review.


Coverity scan

Coverity Coverity is a proprietary static code analysis tool from Synopsys. This product enables engineers and security teams to find and fix software defects. Coverity started as an independent software company in 2002 at the Computer Systems Laboratory ...
in collaboration with Stanford University has established a new baseline for open-source quality and security. The development is being completed through a contract with the Department of Homeland Security. They are utilizing innovations in automated defect detection to identify critical types of bugs found in software.Coverity. (n.d.)
Accelerating Open Source Quality
. Retrieved 18 May 2008, from Scan.Coverity.com The level of quality and security is measured in rungs. Rungs do not have a definitive meaning, and can change as Coverity releases new tools. Rungs are based on the progress of fixing issues found by the Coverity Analysis results and the degree of collaboration with Coverity.Coverity. (n.d.)

. Retrieved 18 May 2008, from Scan.Coverity.com. They start with Rung 0 and currently go up to Rung 2. * Rung 0 The project has been analyzed by Coverity's Scan infrastructure, but no representatives from the open-source software have come forward for the results. * Rung 1 At rung 1, there is collaboration between Coverity and the development team. The software is analyzed with a subset of the scanning features to prevent the development team from being overwhelmed. * Rung 2 There are 11 projects that have been analyzed and upgraded to the status of Rung 2 by reaching zero defects in the first year of the scan. These projects include: AMANDA, ntp,
OpenPAM OpenPAM is a BSD-licensed implementation of PAM used by FreeBSD, NetBSD, DragonFly BSD and macOS (starting with Snow Leopard), and offered as an alternative to Linux PAM in certain Linux distributions. OpenPAM was developed for the FreeBSD ...
,
OpenVPN OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server appl ...
, Overdose,
Perl Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages. "Perl" refers to Perl 5, but from 2000 to 2019 it also referred to its redesigned "sister language", Perl 6, before the latter's name was offici ...
,
PHP PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group ...
, Postfix,
Python Python may refer to: Snakes * Pythonidae, a family of nonvenomous snakes found in Africa, Asia, and Australia ** ''Python'' (genus), a genus of Pythonidae found in Africa and Asia * Python (mythology), a mythical serpent Computing * Python (pro ...
,
Samba Samba (), also known as samba urbano carioca (''urban Carioca samba'') or simply samba carioca (''Carioca samba''), is a Brazilian music genre that originated in the Afro-Brazilian communities of Rio de Janeiro in the early 20th century. Havin ...
, and
tcl TCL or Tcl or TCLs may refer to: Business * TCL Technology, a Chinese consumer electronics and appliance company **TCL Electronics, a subsidiary of TCL Technology * Texas Collegiate League, a collegiate baseball league * Trade Centre Limited, a ...
.


Media

A number of podcasts cover Open-source software security: * Open Source Security Podcast at * Linux Security Podcast at


See also

*
Open Source Security Foundation The Open Source Security Foundation (OpenSSF) is a cross-industry forum for a collaborative effort to improve open-source software security. The list of founding governing board members includes GitHub, Google, IBM, JPMorgan Chase, Microsoft, NC ...


References


External links

*
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cente ...

"Open Source and Security"
''Crypto-Gram Newsletter'', 15 September 1999 * Messmer, Ellen. (2013)

''
Network World International Data Group (IDG, Inc.) is a market intelligence and demand generation company focused on the technology industry. IDG, Inc.’s mission is centered around supporting the technology industry through research, data, marketing technol ...
'', 30(5), 12-12,14.
Article
at ''
CIO magazine ''CIO'' is a magazine related to technology and IT. The magazine was founded in 1987 and is now entirely digital. The name refers to the job title chief information officer. ''CIO'' is part of Boston-based International Data Group's enterprise ...
'')
Census Project / Core Infrastructure Initiative
by
Linux Foundation The Linux Foundation (LF) is a non-profit technology consortium founded in 2000 as a merger between Open Source Development Labs and the Free Standards Group to standardize Linux, support its growth, and promote its commercial adoption. Additi ...
{{DEFAULTSORT:Open Source Software Security Computer security Free software