Open Source and security audits
Phil Windley quoted me as a skeptic. Since his website is widely read and this is a hot-button issue for many people, I would just like to clarify my position on the issue.
I think open source is quasi-necessary but not sufficient for true security. Closed source solutions basically means blind trust in a vendor. I wouldn’t take relatively serious vendors like Oracle or Sun at face value, let alone one with a chequered past like Microsoft.
That said, the availability of source is not in itself a guarantee that security bugs will be found proactively, for two reasons:
-
The “with enough eyeballs, all bugs are shallow” fallacy. While this may be true of a known bug, security is like the proverbial weakest link in a chain. Once a security bug is identified, it is relatively easy to fix and distribute, the real problem is becoming aware of its existence in the first place. This can only be done by systematic source audits searching for patterns like buffer overflows. This kind of systematic audit, as practised by the OpenBSD team or some companies like SuSE is neither easy nor cheap. It will certainly not come about because a casual source browser stumbled upon an issue
-
Secondly, even a full audit of source code is not sufficient to identify all vulnerabilities. Ken Thompson, the inventor of Unix, demonstrated this in his classic paper Reflections on Trusting Trust (PDF) where he put a backdoor into the login program and successfully concealed his tracks in the source by moving the backdoor to bootstrapped compiler binaries.