![]() ![]() That false sense of security really blew up during Heartbleed - the reality of too much code and too few eyes means that we need better processes and automation to improve open source security. The problem: “The community” rarely reviews the code, and everyone just assumed that someone else was doing it. For years, we heard evangelists claim that open source was more secure because “the community” could review the code. One of the ironies of open source is the assumption that many eyes improve security. In contrast, both StarOffice (commercial) and OpenOffice had security holes that allowed remote execution of arbitrary code in XML documents. Theo de Raadt, the “benevolent dictator for life,” has been conscious of security for OpenBSD from the beginning. We’ve been lucky that Linus Torvalds has had security as one of his concerns. The security of both open and closed source projects depends on the focus of their contributors rather than their structure. We saw this with faker.js and colors.js when Marak Squires modified his code to print flags and enter infinite loops. Often, there’s not enough interest in a community to fork solo projects, so they become de facto standards. Just as a writer can update his web page with any content whatsoever, a solo developer can update her code in the same way. In general, solo projects are the most exposed to security risks. There, a steering board makes the decisions. ![]() A foundation, the most formal, is a standalone business structure - of which Apache is perhaps the best example.Its direction is guided by the company that released it. A corporate project is often released as a fork of a commercial project, as when Sun released OpenOffice as an open source fork of StarOffice.A community project such as PostgreSQL springs up among peers with a similar goal and is driven by consensus.A monarchy is a successful solo project like Linux that’s gained the support of a large community of contributors, so the original creator acts as a benevolent tyrant.A solo project is the passion of one individual or, at most, a few dedicated people with the same vision.Josh Berkus has identified five types of open source projects based on their structure: Different projects have different focuses some of them are much more concerned with the security of their releases. Just as it would be a mistake to say that all closed source projects are bug-free, it’s a mistake to say that all open source projects are security risks. Log4Shell Gives Open Source Community a Wakeup Call
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |