Security of open source: Sunlight disinfects, but does it introduce germs as well?
The security of open source software took a small hit this week as Mozilla reported that Firefox currently contains a root certificate authority that has no owner. The fear being that this is a bogus CA inserted by hackers to provide trustworthiness to malicious sites.
This potentially provides an example of a nightmare scenario the anti-open-sourcers talk about: that hackers can inject back doors or introduce vulnerabilities within the open source development process.
Indeed, Fortify is drawing a rather extreme conclusion to this situation with its European director, Richard Kirk, stating that “this tilts the balance in favour of Microsoft’s Explorer”. That’s a ridiculous claim: in the browser war, this event will not move the needle one way or another. All it’s served to do is get much of the security community (which tends to favor openness) to jump on Fortify. Besides, while good theoretical arguments are made on both sides of the “security of open source versus closed source” debate, in practice it comes down to, well….practice. And it has been shown that one of the best practices is openness: whether closed or open source, an open and transparent disclosure process improves security over time.
I do agree with what Fortify’s Kirk says later, that “The important thing to stress, however, is the need for software security testing to identify and remove vulnerabilities from applications, rather than simply trying to block attacks on software by securing the network.”
Lesson #1: DO use these moments to offer constructive advice by raising awareness of issues and solutions.
Lesson #2: DON’T broadly attack an entire movement with biased statements. You’ll only make yourself a target for wrath and ridicule.