Open-source software security

Open-source software security is the measure of assurance or guarantee in the freedom from danger and risk inherent to an open-source software system.

Open-source software versus open algorithms

A software project is in general an implementation of an algorithm. Although implementations can only be tested, and testing can only prove the presence of errors (and not their absence), algorithms can be proven correct.

In secret key cryptography, one of the premises is that the algorithm must be known and only a small piece of information must be kept secret: The secret key. That is, for a cypher to be considered secure, the algorithm must be proven to be correct and the proof must be available for whoever party that wants to use the cypher.

Therefore, in computer security, there is a consensus that algorithms must be open, however there is an ensuing debate whether implementations should be open-source (public) or proprietary software (secret).

Implementation debate

Source code is often checked, or audited, by developers to ensure that is has no security flaws. Supporters of open source software submit that the public availability of the source code allows more developers to inspect it, and therefore increases the likelihood of security bugs being located and fixed. Detractors submit that the source code's accessibility allows malicious users to find vulnerabilities more easily. Further benefits and drawbacks of open source software are shown below.

Benefits

Drawbacks

Metrics and models

There are a variety of models and metrics to measure the security of a system. These are a few methods that can be used to measure the security of software systems.

Number of days between vulnerabilities

It is argued that a system is most vulnerable after a potential vulnerability is discovered, but before a patch is created. By measuring the number of days between the vulnerability and when the vulnerability is fixed, a basis can be determined on the security of the system. There are a few caveats to such an approach: not every vulnerability is equally bad, and fixing a lot of bugs quickly might not be better than only finding a few and taking a little bit longer to fix them, taking into account the operating system, or the effectiveness of the fix.[2]

Poisson process

The Poisson process can be used to measure the rates at which different people find security flaws between open and closed source software. The process can be broken down by the number of volunteers Nv and paid reviewers Np. The rates at which volunteers find a flaw is measured by λv and the rate that paid reviewers find a flaw is measured by λp. The expected time that a volunteer group is expected to find a flaw is 1/(Nv λv) and the expected time that a paid group is expected to find a flaw is 1/(Np λp).[2]

Morningstar model

By comparing a large variety of open source and closed source projects a star system could be used to analyze the security of the project similar to how Morningstar, Inc. rates mutual funds. With a large enough data set, statistics could be used to measure the overall effectiveness of one group over the other. An example of such as system is as follows:[7]

Coverity scan

Coverity in collaboration with Stanford University has established a new baseline for open-source quality and security. The development is being completed through a contract with the Department of Homeland Security. They are utilizing innovations in automated defect detection to identify critical types of bugs found in software.[8] The level of quality and security is measured in rungs. Rungs do not have a definitive meaning, and can change as Coverity releases new tools. Rungs are based on the progress of fixing issues found by the Coverity Analysis results and the degree of collaboration with Coverity.[9] They start with Rung 0 and currently go up to Rung 2.

The project has been analyzed by Coverity’s Scan infrastructure, but no representatives from the open-source software have come forward for the results.[9]

At rung 1, there is collaboration between Coverity and the development team. The software is analyzed with a subset of the scanning features to prevent the development team from being overwhelmed.[9]

There are 11 projects that have been analyzed and upgraded to the status of Rung 2 by reaching zero defects in the first year of the scan. These projects include: AMANDA, ntp, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and tcl.[9]

References

  1. Cowan, C. (January 2003). Software Security for Open-Source Systems. IEEE Security & Privacy, 38–45. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.
  2. 1 2 3 Witten, B., Landwehr, C., & Caloyannides, M. (2001, September/October). Does Open Source Improve System Security? IEEE Software, 57–61. Retrieved 5 May 2008, from Computer Database.
  3. Wheeler, David A. Fully Countering Trusting Trust through Diverse Double-Compiling.
  4. Hoepman, J.-H., & Jacobs, B. (2007). Increased Security Through Open Source. Communications of the ACM , 50 (1), 79–83. Retrieved 5 May 2008, from ACM Digital Library.
  5. Lawton, G. (March 2002). Open Source Security: Opportunity or Oxymoron? Computer , 18–21. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.
  6. Hansen, M., Köhntopp, K., & Pfitzmann, A. (2002). The Open Source approach – opportunities and limitations with respect to security and privacy. Computers & Security , 21 (5), 461–471. Retrieved 5 May 2008, from Computer Database.
  7. Peterson, G. (6 May 2008). Stalking the right software security metric. Retrieved 18 May 2008, from Raindrop.
  8. Coverity. (n.d.). Accelerating Open Source Quality. Retrieved 18 May 2008, from Scan.Coverity.com
  9. 1 2 3 4 Coverity. (n.d.). Scan Ladder FAQ. Retrieved 18 May 2008, from Scan.Coverity.com.
This article is issued from Wikipedia - version of the 11/22/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.