Open for Business

Tuesday, January 17, 2006

Is open source software more vulnerable?

Do you think that more eye balls looking at open source projects make all bugs shallow or quite the contrary that some of these eye balls looking at the code could be malicious and take advantage of the exposed code to attack your open source based systems?

Linus Torvalds, the creator of Linux, stated: "given enough eyeballs, all bugs are shallow". More formally: "Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone." by Eric S. Raymond in his essay The Cathedral and the Bazaar.

Apparently The U.S. government's Department of Homeland Security thinks otherwise. It is investing in an ambitious 3 year project aiming at improving reliability and security of widely deployed open source projects. In late 2004 the San Francisco based auditing software company Coverity found that the Linux kernel had far fewer security vulnerabilities than a typical commercial software package. According to this article, this same company was selected for this project along with engineers from Stanford and anti-virus vendor Symantec to pinpoint and fix dangerous vulnerabilities (such as buffer overflows and memory allocation bugs) in widely used open source projects such as Linux, Apache, Mozilla and Sendmail.

Can't wait to see the results of this project will confirm Linus' law or not. In my opinion, there is no general rule in this case. Open source is not safer nor is it more vulnerable than commercial software. It really depends on what we are comparing. An open source project is going to be more or less reliable based on its popularity (nobody was interested in attacking Firefox until it became successful) the governance behind it, the size of the community (the more the better)...


Post a Comment

<< Home