The security community and the open source development community have been clashing mightily over the past week, and the results are anything but pretty. It's always ugly when two groups that should be working side by side are found to be miles apart.
Linus Torvalds, the inventor of the popular open-source Linux operating system, fired the first salvo when he said in an online forum that "security people are often the black-and-white kind of people that I can't stand."
In an email, Torvalds criticized the creators of the OpenBSD environment, an open-source version of Unix that is designed to be secure.
"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them," Torvalds said. "To me, security is important. But it's no less important than everything else that is also important!"
While Torvalds was flaming the entire security community in a public forum, Fortify Software published the results of a study that made similarly blanketing comments about open source developers, using data on 11 different open source projects to demonstrate that the open source development process is rife with security flaws. (See Report: Vulnerabilities Abound in Open-Source Environments.)
It's these sorts of blanket statements that cause enmity and outright dislike between two groups. Any statement that starts with "those people" is headed in the wrong direction. Security experts and open source developers should be digging trenches together, not firing shots at each other.
Torvald's comments, in particular, are chauvinistic and disingenuous. If he were Mel Gibson or Al Sharpton, he'd have been run out of town on a rail for making such stereotypical comments in an open forum. But since he's a quirky computer genius and the people he was talking about don't have a political action committee, everybody seems to be letting it slide.
More importantly, Torvalds is just flat wrong. In his comments, he suggests that finding a security flaw in source code is no different than finding any other code flaw. But there is a huge difference. An everyday development flaw can jeopardize the usability of an application, or even a hard drive. But a security flaw can lead to the loss of a company's data, or its customers'. If I build a house that is unsafe, it threatens the inhabitants. If I build a bank that is insecure, it threatens not only the welfare of the business, but the lives of thousands of customers.
Fortify's study was more informed, and certainly less bigoted. But its conclusions -- that all open source projects contain security flaws and that open source projects may become an Achilles heel for business -- stirred a pot that was too broad, and led to plenty of ire in the open source community.
It's true that open source development projects are rife with security vulnerabilities. But aren't all software development projects rife with security vulnerabilities? Commercial and in-house development teams make many of the same mistakes as open source developers, and the results are just as dangerous. In fact, if you look at the whole body of news here at Dark Reading, you'll see many more vulnerability stories about commercial programs than about open source applications.
The truth, as usual, lies somewhere between two extremes. Security people aren't unreasonable to consider their vulnerabilities more serious than, say, a user interface flaw. Many open source developers need to work on building security more directly into the development process, as all programmers do. But it's not fair to call open source the weak link in the enterprise security chain.
Maybe what both sides need to do is quit generalizing and start finding ways to work together. We should welcome the notion that open source developers are sitting up and paying attention to the security community, even if it's initially in a negative way. It's past time to get this discussion going.
No hay comentarios:
Publicar un comentario