DZ
DefZone.Net

Kien thuc cong nghe & giai tri

Wiki Article

Open-source software security

Nguồn dữ liệu từ Wikipedia, hiển thị bởi DefZone.Net

Xem trên WikipediaBài ngẫu nhiên khác

Open-source software security is the measure of assurance or guarantee in the freedom from danger and risk inherent to an open-source software system.[1]

Implementation debate

[edit]

Benefits

[edit]
  • Proprietary software forces the user to accept the level of security that the software vendor is willing to deliver and to accept the rate that patches and updates are released.[2][3]
  • It is assumed that any compiler that is used creates code that can be trusted, but it has been demonstrated by Ken Thompson that a compiler can be subverted using a compiler backdoor to create faulty executables that are unwittingly produced by a well-intentioned developer.[4] With access to the source code for the compiler, the developer has at least the ability to discover if there is any mal-intention.[5]
  • Kerckhoffs' principle is based on the idea that an enemy can steal a secure military system and not be able to compromise the information. His ideas were the basis for many modern security practices, and followed that security through obscurity is a bad practice.[6]

Drawbacks

[edit]
  • Simply making source code available does not guarantee review. An example of this occurring is when Marcus Ranum, an expert on security system design and implementation, released his first public firewall toolkit.[7] At one time, there were over 2,000 sites using his toolkit, but only 10 people gave him any feedback or patches.[8]
  • Having a large amount of eyes reviewing code can "lull a user into a false sense of security".[9] Having many users look at source code does not guarantee that security flaws will be found and fixed.

Metrics and models

[edit]

There are a variety of models and metrics to measure the security of a system. These are a few methods that can be used to measure the security of software systems.

Number of days between vulnerabilities

[edit]

It is argued that a system is most vulnerable after a potential vulnerability is discovered, but before a patch is created. By measuring the number of days between the vulnerability and when the vulnerability is fixed, a basis can be determined on the security of the system. There are a few caveats to such an approach: not every vulnerability is equally bad, and fixing a lot of bugs quickly might not be better than only finding a few and taking a little bit longer to fix them, taking into account the operating system, or the effectiveness of the fix.[4]

Poisson process

[edit]

The Poisson process can be used to measure the rates at which different people find security flaws between open and closed source software. The process can be broken down by the number of volunteers Nv and paid reviewers Np. The rates at which volunteers find a flaw is measured by λv and the rate that paid reviewers find a flaw is measured by λp. The expected time that a volunteer group is expected to find a flaw is 1/(Nv λv) and the expected time that a paid group is expected to find a flaw is 1/(Np λp).[4]

Morningstar model

[edit]

By comparing a large variety of open source and closed source projects a star system could be used to analyze the security of the project similar to how Morningstar, Inc. rates mutual funds. With a large enough data set, statistics could be used to measure the overall effectiveness of one group over the other. An example of such as system is as follows:[10]

  • 1 Star: Many security vulnerabilities.
  • 2 Stars: Reliability issues.
  • 3 Stars: Follows best security practices.
  • 4 Stars: Documented secure development process.
  • 5 Stars: Passed independent security review.

Coverity scan

[edit]

Coverity in collaboration with Stanford University has established a new baseline for open-source quality and security. The development is being completed through a contract with the Department of Homeland Security. They are utilizing innovations in automated defect detection to identify critical types of bugs found in software.[11][12][13] The level of quality and security is measured in rungs. Rungs do not have a definitive meaning, and can change as Coverity releases new tools. Rungs are based on the progress of fixing issues found by the Coverity Analysis results and the degree of collaboration with Coverity.[14] They start with Rung 0 and currently go up to Rung 2.

  • Rung 0

The project has been analyzed by Coverity's Scan infrastructure, but no representatives from the open-source software have come forward for the results.[14]

  • Rung 1

At rung 1, there is collaboration between Coverity and the development team. The software is analyzed with a subset of the scanning features to prevent the development team from being overwhelmed.[14]

  • Rung 2

There are 11 projects that have been analyzed and upgraded to the status of Rung 2 by reaching zero defects in the first year of the scan.[15] These projects include: AMANDA, ntp, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and Tcl.[14][16]

See also

[edit]

References

[edit]
  1. ^ Hoepman, Jaap-Henk; Jacobs, Bart (26 April 2005). "Software Security Through Open Source" (PDF). www.cs.ru.nl. Netherlands: Institute for Computing and Information Sciences. Archived from the original (PDF) on 12 May 2019. Retrieved 26 March 2026.
  2. ^ Cowan, C. (January 2003). Software Security for Open-Source Systems. IEEE Security & Privacy, 38–45. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.
  3. ^ Wasson, Dewayne (18 July 2022). "Open-source software – Security concerns in a corporate environment" (PDF). www.davenport.edu. Davenport University. Archived from the original (PDF) on 1 February 2023. Retrieved 26 March 2026.
  4. ^ a b c Witten, B., Landwehr, C., & Caloyannides, M. (2001, September/October). Does Open Source Improve System Security? IEEE Software, 57–61. Retrieved 5 May 2008, from Computer Database.
  5. ^ THOMPSON, KEN (August 1984). "Reflections on Trusting Trust" (PDF). www.cs.cmu.edu. TURING AWARD LECTURE. Archived from the original (PDF) on 9 February 2024. Retrieved 26 March 2026.
  6. ^ Hoepman, J.-H., & Jacobs, B. (2007). Increased Security Through Open Source. Communications of the ACM, 50 (1), 79–83. Retrieved 5 May 2008, from ACM Digital Library.
  7. ^ L. Wilson, David (May 2004). "RISK PERCEPTION AND TRUSTED COMPUTER SYSTEMS: IS OPEN SOURCE SOFTWARE REALLY MORE SECURE THAN PROPRIETARY SOFTWARE?" (PDF). www.cerias.purdue.edu. CERIAS Tech Report 2004-07. Archived from the original (PDF) on 11 August 2017. Retrieved 26 March 2026.
  8. ^ Lawton, G. (March 2002). Open Source Security: Opportunity or Oxymoron? Computer, 18–21. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.
  9. ^ Hansen, M., Köhntopp, K., & Pfitzmann, A. (2002). The Open Source approach – opportunities and limitations with respect to security and privacy. Computers & Security, 21 (5), 461–471. Retrieved 5 May 2008, from Computer Database.
  10. ^ Peterson, G. (6 May 2008). Stalking the right software security metric. Retrieved 18 May 2008, from Raindrop.
  11. ^ "Coverity Scan - Static Analysis". scan.coverity.com. Archived from the original on 5 March 2016. Retrieved 26 March 2026.
  12. ^ "Perl und PHP erreichen zweite Sprosse der Sicherheitsleiter: Coverity: Elf Open-Source-Projekte besonders sicher". Computerwoche (in German). 10 January 2008. Archived from the original on 25 March 2026. Retrieved 26 March 2026.
  13. ^ "Coverity: Elf Open-Source-Projekte besonders sicher". DER STANDARD (in Austrian German). 18 January 2008. Archived from the original on 25 March 2026. Retrieved 26 March 2026.
  14. ^ a b c d "Coverity Scan - Static Analysis". scan.coverity.com. Archived from the original on 6 March 2016. Retrieved 26 March 2026.
  15. ^ Espiner, Tom. "Coverity reveals common open-source code flaws | ZDNet". ZDNet. Archived from the original on 23 August 2019. Retrieved 26 March 2026.
  16. ^ "Coverity investigating open source security". InfoWorld. 10 January 2008. Archived from the original on 25 March 2026. Retrieved 26 March 2026.
[edit]