Open source software security
Encyclopedia
Open source software security is the measure of assurance or guarantee in the freedom from danger and risk inherent to an open source software system.
can be used to measure the rates at which different people find security flaws between open and closed source software. The process can be broken down by the number of volunteers Nv and paid reviewers Np. The rates at which volunteers find a flaw is measured by λv and the rate that paid reviewers find a flaw is measured by λp. The expected time that a volunteer group is expected to find a flaw is 1/(Nv λv) and the expected time that a paid group is expected to find a flaw is 1/(Np λp).
rates mutual funds. With a large enough data set, statistics could be used to measure the overall effectiveness of one group over the other. An example of such as system is as follows:
in collaboration with Stanford University has established a new baseline for open source quality and security. The development is being completed through a contract with the Department of Homeland Security. They are utilizing innovations in automated defect detection to identify critical types of bugs found in software. The level of quality and security is measured in rungs. Rungs do not have a definitive meaning, and can change as Coverity releases new tools. Rungs are based on the progress of fixing issues found by the Coverity Analysis results and the degree of collaboration with Coverity. They start with Rung 0 and currently go up to Rung 2.
The project has been analyzed by Coverity’s Scan infrastructure, but no representatives from the open source software have come forward for the results.
At rung 1, there is collaboration between Coverity and the development team. The software is analyzed with a subset of the scanning features to prevent the development team from being overwhelmed.
There are 11 projects that have been analyzed and upgraded to the status of Rung 2 by reaching zero defects in the first year of the scan. These projects include: AMANDA, ntp, OpenPAM
, OpenVPN
, Overdose, Perl
, PHP
, Postfix
, Python
, Samba
, and tcl
.
The debate
There is an ongoing debate on whether open source software increases software security or is detrimental to its security. There are a variety of different benefits and drawbacks for both sides of the argument. There are also a variety of metrics and models to measure the effectiveness of the security.Benefits of open source security
- More people can inspect the source code to find and fix a possible vulnerability.
- Proprietary softwareProprietary softwareProprietary software is computer software licensed under exclusive legal right of the copyright holder. The licensee is given the right to use the software under certain conditions, while restricted from other uses, such as modification, further distribution, or reverse engineering.Complementary...
forces the user to accept the level of security that the software vendor is willing to deliver and to accept the rate that patches and updates are released.
- The end-user of Open SourceOpen sourceThe term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
code has the ability to change and modify source to implement any extra "features" of security they may wish for a specific use, which can extend to the kernel level if they so wish.
- It is assumed that any compiler that is used creates code that can be trusted, but it has been demonstrated by Ken ThompsonKen ThompsonKenneth Lane Thompson , commonly referred to as ken in hacker circles, is an American pioneer of computer science...
that a compiler can be subverted using an eponymous Thompson hack to create faulty executables that are unwittingly produced by a well-intentioned developer. With access to the source code for the compiler, the developer has at least the ability to discover if there is any mal-intention.
- Kerckhoffs' principleKerckhoffs' principleIn cryptography, Kerckhoffs's principle was stated by Auguste Kerckhoffs in the 19th century: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.Kerckhoffs's principle was reformulated by Claude Shannon as...
is based on the idea that an enemy can steal a secure military system and not be able to compromise the information. His ideas were the basis for many modern security practices, and followed that security through obscuritySecurity through obscuritySecurity through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
is a bad practice.
Drawbacks of open source security
- All people have access to the source code, including potential attackers. Any unpatched vulnerability can be used by attackers.
- Simply making source code available does not guarantee review. A good example of this occurring is when Marcus RanumMarcus J. RanumMarcus J. Ranum is a computer and network security researcher and industry leader. He is credited with a number of innovations in firewalls, including building the first Internet email server for the whitehouse.gov domain, and intrusion detection systems...
, an expert on security system design and implementation, released his first public firewall toolkit. At one point in time, there were over 2,000 sites using his toolkit, but only 10 people gave him any feedback or patches.
- Having a large amount of eyes reviewing code can "lull a user into a false sense of security". Having many users look at source code does not guarantee that security flaws will be found and fixed.
Metrics and Models
There are a variety of models and metrics to measure the security of a system. These are a few methods that can be used to measure the security of software systems.Number of days between vulnerabilities
It is argued that a system is most vulnerable after a potential vulnerability is discovered, but before a patch is created. By measuring the number of days between the vulnerability and when the vulnerability is fixed, a basis can be determined on the security of the system. There are a few caveats to such an approach: not every vulnerability is equally bad, and fixing a lot of bugs quickly might not be better than only finding a few and taking a little bit longer to fix them, taking into account the operating system, or the effectiveness of the fix.Poisson process
The Poisson processPoisson process
A Poisson process, named after the French mathematician Siméon-Denis Poisson , is a stochastic process in which events occur continuously and independently of one another...
can be used to measure the rates at which different people find security flaws between open and closed source software. The process can be broken down by the number of volunteers Nv and paid reviewers Np. The rates at which volunteers find a flaw is measured by λv and the rate that paid reviewers find a flaw is measured by λp. The expected time that a volunteer group is expected to find a flaw is 1/(Nv λv) and the expected time that a paid group is expected to find a flaw is 1/(Np λp).
Morningstar model
By comparing a large variety of open source and closed source projects a star system could be used to analyze the security of the project similar to how Morningstar, Inc.Morningstar, Inc.
Morningstar, Inc. is an independent investment research company based in Chicago, Illinois, USA.-Businesses:Morningstar, Inc. is a leading provider of independent investment research in North America, Europe, Australia, and Asia. The company offers an extensive line of products and services for...
rates mutual funds. With a large enough data set, statistics could be used to measure the overall effectiveness of one group over the other. An example of such as system is as follows:
- 1 Star: Many security vulnerabilities.
- 2 Stars: Reliability issues.
- 3 Stars: Follows best security practices.
- 4 Stars: Documented secure development process.
- 5 Stars: Passed independent security review.
Coverity scan
CoverityCoverity
Coverity is a software vendor based in San Francisco. It was incorporated in November 2002. It develops static code analysis tools, for C, C++ and other programming languages, used to find defects and security vulnerabilities in source code...
in collaboration with Stanford University has established a new baseline for open source quality and security. The development is being completed through a contract with the Department of Homeland Security. They are utilizing innovations in automated defect detection to identify critical types of bugs found in software. The level of quality and security is measured in rungs. Rungs do not have a definitive meaning, and can change as Coverity releases new tools. Rungs are based on the progress of fixing issues found by the Coverity Analysis results and the degree of collaboration with Coverity. They start with Rung 0 and currently go up to Rung 2.
- Rung 0
The project has been analyzed by Coverity’s Scan infrastructure, but no representatives from the open source software have come forward for the results.
- Rung 1
At rung 1, there is collaboration between Coverity and the development team. The software is analyzed with a subset of the scanning features to prevent the development team from being overwhelmed.
- Rung 2
There are 11 projects that have been analyzed and upgraded to the status of Rung 2 by reaching zero defects in the first year of the scan. These projects include: AMANDA, ntp, OpenPAM
OpenPAM
OpenPAM is an implementation of PAM used by FreeBSD, NetBSD, DragonFly BSD and Mac OS X ,and offered as an alternative to Linux PAM in certain Linux distributions....
, OpenVPN
OpenVPN
OpenVPN is a free and open source software application that implements virtual private network techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for...
, Overdose, Perl
Perl
Perl is a high-level, general-purpose, interpreted, dynamic programming language. Perl was originally developed by Larry Wall in 1987 as a general-purpose Unix scripting language to make report processing easier. Since then, it has undergone many changes and revisions and become widely popular...
, PHP
PHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
, Postfix
Postfix (software)
In computing, Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA....
, Python
Python (programming language)
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
, Samba
Samba (software)
Samba is a free software re-implementation, originally developed by Andrew Tridgell, of the SMB/CIFS networking protocol. As of version 3, Samba provides file and print services for various Microsoft Windows clients and can integrate with a Windows Server domain, either as a Primary Domain...
, and tcl
Tcl
Tcl is a scripting language created by John Ousterhout. Originally "born out of frustration", according to the author, with programmers devising their own languages intended to be embedded into applications, Tcl gained acceptance on its own...
.
External links
- Bruce Schneier: Open Source and Security Crypto-Gram Newsletter, September 15, 1999