[late followup] On Sat, Aug 13, 2005 at 07:32:20PM +0100, Dave Howe wrote:
More bluntly: the closed-source, "faith-based" approach to security doesn't cut it. The attacks we're confronting are being launched (in many cases) by people who *already have the source code*, and who thus enjoy an enormous advantage over the defenders. TBH though, usually the open source "faith based" approach to security doesn't cut it either. its easy to say "its open source, therefore anyone can check the code" but much harder to actually find someone who has taken
Rich Kulawiec wrote: the time to do it....
Ah, but I covered that, or at least I thought I did: "D. Any piece of source code which hasn't been subjected to widespread peer review should be presumed untrustworthy-- because it not only hasn't been shown to be otherwise, the attempt hasn't even been made. (Note that the contrapositive isn't true -- peer review is only a necessary condition, not a sufficient one.)" Which means: just because it's open source and therefore any can check it, doesn't mean that anyone has...or that they're competent...or that they were thorough...or that they found all the issues. Like I said, it's a necessary condition, not a sufficient one. But...even with all the tools that have been developed -- everything from formal proofs of correctness to array bounds checkers to stack overflow guards to you-name-it...it seems that in 2005 that the very best available/practical method we have for trying to produce secure code is "lots and lots of independent and clueful eyeballs". I'm not saying that's a desirable situation, because it's not: it would be nice if we had something better. But we don't, at least not yet. Another way of putting it: no matter who "you" are, from one lone programmer to 10,000, the Internet is more thorough than you are. Now, one could counter-argue that keeping source code secret provides some measure of security. I'm not buying it: I don't think there's any such thing as "secret source code". And even if there was: if someone with enough cash to fill a briefcase wants it: they WILL get it. I suppose what I'm saying is: let's drop the pretense that "closed-source" really and truly exists, let's get the critical code out in the open, and let's get started with the process of beating it into shape. Because we're already paying (and paying and paying) a huge price for continuing the charade. ---Rsk