Security of Open Source Software Remains Frustratingly Opaque
In July, Fortify Software reported on the state of security in Open Source software (Open Source Projects Fall Short on Security).
To quote:
Enterprises often rely on open source software to save development time and money, but they shouldn't rely on open source for good security, according to a study released today. The review of 11 popular projects revealed numerous vulnerabilities and a general absence of sound security practices…the study found that open source developers need to pay more serious attention to security, and enterprises should treat open source with healthy skepticism as they integrate it into their businesses.
However, a Coverity report released around the same time seemed to contradict Fortify's findings.
Coverity's David Maxwell on Quality Issues in Open Source Software
To quote:
Open source software just keeps getting better, according to a new report from Coverity, a San Francisco-based maker of source code analysis tools.
Specifically, Coverity's Scan Report on Open Source Software 2008, released last month, found a 16 percent reduction in static analysis defect density in the open source software it analyzed over the past two years, reflecting the elimination of more than 8,500 individual defects.
David Maxwell, Coverity's open source strategist interviewed for the article, goes on to state:
Between our first analysis and our most recent one, covering a span of two years, some projects have regressed, but the quality of many projects has improved. The difficulty, of course, is that since open source software covers a whole range of developer experience and code maturity, it's impossible to give one number to represent quality over time. The purpose [of Coverity's testing of open source software] has been to raise maturity to a higher level more quickly than other methods could achieve.
At base, Fortify looked at "11 popular projects" while Coverity focused on "the biggest open source projects." Some projects have improved in quality and security and others regressed from the viewpoint of Coverity's report while Fortify's report strongly asserts that security was not "taken seriously" in the first place by many popular open source projects. The result is contradictory and confusing messages that muddle further the already muddled state of Open Source security.
That some open source projects are "good at security" is laudable, but in the arena of international cyber-craft, it is simply not enough. Customers need clear, reliable, observable signals that overcome the asymmetric information problem and that motivate software manufacturers, whatever their stripe, to regularly produce software that can withstand highly foreseeable events. "Many eyes," while a favored philosophy of the open source movement, does not itself reliably or consistently communicate quality or security to other market participants. As such, many eyes fails to satisfy this need. In contrast, objective evaluation reports are helpful in moving toward customer-centric signals. This is why Coverity's and Fortify's efforts are so necessary and contradictory reports so frustrating.
In the end, an important lesson might be highlighted for both the Open Source and Information Security communities: Open is not the same as clear.
Comments