BBC TV: Click: Free=beer and facebook-flaming

simo simo.sorce at xsec.it
Sun May 18 14:50:19 UTC 2008


On Sun, 2008-05-18 at 12:42 +0200, Florian Weimer wrote:

> These days, there's hardly any widely used piece of proprietary software
> for which you can't get the source code.

To be honest, I don't see how this statement is true.

>   You can't make modifications,
> and there might be restrictions with whom you can share your results,

This is the problem. In most of the cases who find bugs is someone that
is considering or trying to use said free software in new code. If you
are building something new, generally you are going to exercise part of
the existing code that may have not been exercised in previous uses.
This is a great way to find new bugs or deficiencies, and some times
these turn out to be also security issues.

If you can't reuse the code, there are less chances to catch errors in
it. The more the code is reused, the more it is tested in different
conditions, the more it becomes robust and flaws are eliminated. There
is still space for subtle bugs that may not cause errors, but the mere
fact that lots of people start looking at the code when working on it
make it possible for some bugs to be spotted.

Add to that the "community" aspect. In most cases when you have a bug in
some widely spread proprietary software you simply live with it. Or
maybe you even change software, but you don't report it, because there
is no accessible community that will take the issue seriously even if
you are not paying big money to some company, and will help you. More
reports of this kind mean more fixes as well, again more exercise and
feedback.

> but security reviews based on source code are definitely possible.

It is, and availability of the source allows you to run tools that
automatically analyze and discover defects. But these tools can only go
so far.

> It's also not clear if source code availability is that helpful for
> uncovering security bugs.

´╗┐When source code is available you get individuals willing to uncover
bugs. In the Samba community it is not uncommon to get security reports
from bug hunter professionals. That is possible mostly because source
code is available, as the protocol is complex enough that just blind
testing (which we already do in many cases with our protocol analysis
tools) is not enough to find all defects.

Black boxes are definitely harder to check.

Simo.




More information about the Discussion mailing list