Chad Perrin perrin at
Fri Jun 5 18:10:37 UTC 2009

On Wed, Jun 03, 2009 at 08:32:38PM +0200, Wojciech Puchar wrote:
> Everyone can find them and fix, but at the same time everyone can find 
> them and use them.
> With closed source both are more difficult.

That's not strictly true.

In general, it's easier to discover vulnerabilities through reverse
engineering techniques, fuzzing, et cetera, than by sifting through
source code.  The exceptions are cases where someone made a *really*
bone-headed coding error.  As a result, except when a programmer who adds
code to the project is just completely incompetent (or has such an
incompetent moment -- we all make mistakes), and it somehow passes review
by other people on the development team (unlikely unless people aren't
reviewing each others' code), it really isn't any easier to discover
security vulnerabilities in open source software than in closed source

The purely technical difference provided by open source software when it
comes to vulnerability discovery and patching is that, once a
vulnerability has been found, its origins in the source code can be
tracked down and patched by *anyone*.  In short, in technical terms, open
source software makes it easier to *fix* vulnerabilities because it opens
the pool of potential patch developers beyond the core team, but it
doesn't really make it any easier to *discover* vulnerabilities in the
general case.

Then, of course, there are the social effects -- which encourage people
who have a healthy interest in the software to contribute to its security
and stability through a number of related social mechanisms.  Overall,
it's a tremendous win for open source software development.

That doesn't mean that any given open source application will
necessarily, inherently be more secure than any given closed source
equivalent.  It does, however, mean that if you're a betting man, your
chances of winning a bet lie with the open source application, all else
being equal.

> >In MICROS~1 land, you give yourself entirely into the hand of a
> >corporation that is not interested in selling secure products,
> So this is not open/closed source problem, but micro-soft approach.
> They just don't care about security. As they don't care about performance 
> and about bugs. But that's just micro-soft.

Part of the problem of closed source software is that it provides a kind
of "safe haven" for such unscrupulous software developers and vendors,
where many such failings of secure development may go unnoticed due to
the inability to determine exactly what's going on under the hood once
you've noticed there's something wrong with the application.

Chad Perrin [ original content licensed OWL: ]
Common Reformulation of Greenspun's Tenth Rule:  Any sufficiently
complicated non-Lisp program contains an ad hoc informally-specified
bug-ridden slow implementation of half of Common Lisp.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list