From Wikipedia, the free encyclopedia
Open source software security is the measure of
assurance or guarantee in the freedom from danger and risk inherent
to an open source software system.
There is an ongoing debate on whether open source software
increases software security or is detrimental to its security.
There are a variety of different benefits and drawbacks for both
sides of the argument. There are also a variety of metrics and
models to measure the effectiveness of the security.
Benefits of open source
- More people can inspect the source code to find and fix a
- Proprietary software forces the
user to accept the level of security that the software vendor is
willing to deliver and to accept the rate that patches and updates
- The end-user of Open Source code has the ability to change
and modify source to implement any extra "features" of security
they may wish for a specific use, which can extend to the kernel
level if they so wish.
- It is assumed that any compiler that is used creates code that
can be trusted, but it has been demonstrated by Ken Thompson that a
compiler can be subverted using an eponymous Thompson hack to create
faulty executables that are unwittingly produced by a
With access to the source code for the compiler, the developer has
at least the ability to discover if there is any
- Kerckhoffs' principle is based on
the idea that an enemy can steal a secure military system and not
be able to compromise the information. His ideas were the basis for
many modern security practices, and followed that security through obscurity
is a bad practice.
Drawbacks of open source
- All people have access to the source code, including potential
Any unpatched vulnerability can be used by attackers.
- Simply making source code available does not guarantee review.
A good example of this occurring is when Marcus Ranum, an expert on security
system design and implementation, released his first public
firewall toolkit. At one point in time, there were over 2,000 sites
using his toolkit, but only 10 people gave him any feedback or
- Having a large amount of eyes reviewing code can "lull a user
into a false sense of security". Having
many users look at source code does not guarantee that security
flaws will be found and fixed.
There are a variety of models and metrics to measure the
security of a system. These are a few methods that can be used to
measure the security of software systems.
Number of days between
It is argued that a system is most vulnerable after a potential
vulnerability is discovered, but before a patch is created. By
measuring the number of days between the vulnerability and when the
vulnerability is fixed, a basis can be determined on the security
of the system. There are a few caveats to such an approach: not
every vulnerability is equally bad, and fixing a lot of bugs
quickly might not be better than only finding a few and taking a
little bit longer to fix them, taking into account the operating
system, or the effectiveness of the fix.
process can be used to measure the rates at which different
people find security flaws between open and closed source software.
The process can be broken down by the number of volunteers
Nv and paid reviewers Np. The rates at which
volunteers find a flaw is measured by λv and the rate
that paid reviewers find a flaw is measured by λp. The
expected time that a volunteer group is expected to find a flaw is
1/(Nv λv) and the expected time that a paid
group is expected to find a flaw is 1/(Np
By comparing a large variety of open source and closed source
projects a star system could be used to analyze the security of the
project similar to how Morningstar, Inc. rates mutual funds.
With a large enough data set, statistics could be used to measure
the overall effectiveness of one group over the other. An example
of such as system is as follows:
- 1 Star: Many security vulnerabilities.
- 2 Stars: Reliability issues.
- 3 Stars: Follows best security practices.
- 4 Stars: Documented secure development process.
- 5 Stars: Passed independent security review.
collaboration with Stanford University has established a new
baseline for open source quality and security. The development is
being completed through a contract with the Department of Homeland
Security. They are utilizing innovations in automated defect
detection to identify critical types of bugs found in software.
The level of quality and security is measured in rungs. Rungs do
not have a definitive meaning, and can change as Coverity releases
new tools. Rungs are based on the progress of fixing issues found
by the Coverity Analysis results and the degree of collaboration
They start with Rung 0 and currently go up to Rung 2.
The project has been analyzed by Coverity’s Scan infrastructure,
but no representatives from the open source software have come
forward for the results.
At rung 1, there is collaboration between Coverity and the
development team. The software is analyzed with a subset of the
scanning features to prevent the development team from being
There are 11 projects that have been analyzed and upgraded to
the status of Rung 2 by reaching zero defects in the first year of
the scan. These projects include: AMANDA, ntp, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix,
Python, Samba, and tcl.
Cowan, C. (2003, January). IEEE Security & Privacy. IEEE
Security & Privacy, 38-45. Retrieved May 5, 2008, from IEEE
Computer Society Digital Library.
- ^ a
Witten, B., Landwehr, C., & Caloyannides, M. (2001,
September/October). Does Open Source Improve System Security? IEEE
Software , 57-61. Retrieved May 5, 2008, from Computer
Hoepman, J.-H., & Jacobs, B. (2007). Increased Security Through
Open Source. Communications of the ACM , 50 (1), 79-83. Retrieved
May 5, 2008, from ACM Digital Library.
Lawton, G. (2002, March). Open Source Security: Opportunity or
Oxymoron? Computer , 18-21. Retrieved May 5, 2008, from IEEE
Computer Society Digital Library.
Hansen, M., Köhntopp, K., & Pfitzmann, A. (2002). The Open
Source approach - opportunities and limitations with respect to
security and privacy. Computers & Security , 21 (5), 461-471.
Retrieved May 5, 2008, from Computer Database.
Peterson, G. (2008, May 06). Stalking the right software security
metric. Retrieved May 18, 2008, from Raindrop: http://1raindrop.typepad.com/1_raindrop/security_metrics/index.html
- ^ Coverity. (n.d.).
Accelerating Open Source Quality. Retrieved May 18, 2008, from
- ^ a
Coverity. (n.d.). Scan Ladder FAQ. Retrieved May 18, 2008, from