×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is Code Auditing of Open Source Apps Necessary?

CmdrTaco posted more than 4 years ago | from the but-I-thought-there-were-no-bugs dept.

Security 108

An anonymous reader writes "Following Sun Microsystems' decision to release a raft of open source applications to support its secure cloud computing strategy, companies may be wondering if they should conduct security tests of their customized open source software before deployment. While the use of encryption and VPNs to extend a secure bridge between a company IT resource and a private cloud facility is very positive — especially now that Amazon is beta testing its pay-as-you-go private cloud facility — it's important that the underlying application code is also secure. What do you think?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

108 comments

Yes. (5, Insightful)

wed128 (722152) | more than 4 years ago | (#30536246)

Next Question.

Re:Yes. (3, Insightful)

causality (777677) | more than 4 years ago | (#30536354)

Next Question.

No shit. I don't understand how this got to be a story. What's next, "Should Engineers Who Design Bridges Demonstrate Competency Before Thousands of Automobiles Drive on Those Bridges?"

Re:Yes. (5, Funny)

Thanshin (1188877) | more than 4 years ago | (#30536532)

No shit. I don't understand how this got to be a story. What's next, "Should Engineers Who Design Bridges Demonstrate Competency Before Thousands of Automobiles Drive on Those Bridges?"

No.

They should pass an accelerated three month course on how to mix cement, then spend six months mixing cement for 300$/month and then change jobs saying in their CV that they have five years of experience in construction. Only then they're ready to apply their experience to design a bridge.

When the first car goes over it and falls to its demise, they're just have to patch the bridge.

After a couple of years and innumerable patches, the bridge, now essentially a pile of cement over a chasm, will finally stop dropping more than a couple cars per day to the void. At that point, the engineers are ready to find a management position.

Re:Yes. (1)

ByOhTek (1181381) | more than 4 years ago | (#30536782)

Ahh, if they hired engineers like they hired software devs.

Actually, where's the guy with the woodpecker destroying civilization in his sig when you need him?

Monty Python Engineering (1, Funny)

Anonymous Coward | more than 4 years ago | (#30536898)

King of Swamp Castle: When I first came here, this was all swamp. Everyone
said I was daft to build a castle on a swamp, but I built in all the same,
just to show them. It sank into the swamp. So I built a second one. And that
one sank into the swamp. So I built a third. That burned down, fell over,
and then sank into the swamp. But the fourth one stayed up. And that's what
you're going to get, Son, the strongest castle in all of England.

Re:Monty Python Engineering (3, Funny)

Savage-Rabbit (308260) | more than 4 years ago | (#30537036)

King of Swamp Castle: When I first came here, this was all swamp. Everyone
said I was daft to build a castle on a swamp, but I built in all the same,
just to show them. It sank into the swamp. So I built a second one. And that
one sank into the swamp. So I built a third. That burned down, fell over,
and then sank into the swamp. But the fourth one stayed up. And that's what
you're going to get, Son, the strongest castle in all of England.

That sounds a lot like the development history of Windows.

Re:Monty Python Engineering (1)

Nutria (679911) | more than 4 years ago | (#30538744)

That sounds a lot like the development history of Windows.

Well yes, and an example that "persistence pays off".

Re:Monty Python Engineering (1)

Thinboy00 (1190815) | more than 4 years ago | (#30539988)

King of Swamp Castle: When I first came here, this was all swamp. Everyone
said I was daft to build a castle on a swamp, but I built in all the same,
just to show them. It sank into the swamp. So I built a second one. And that
one sank into the swamp. So I built a third. That burned down, fell over,
and then sank into the swamp. But the fourth one stayed up. And that's what
you're going to get, Son, the strongest castle in all of England.

That sounds a lot like the development history of Windows.

So the first one is DOS (except for the "built it myself" part), the second one is Win3.1, the third is Win ME, and the fourth is XP? Where do Vista and 7 fit in?

Re:Monty Python Engineering (1)

martin-boundary (547041) | more than 4 years ago | (#30540646)

Win3.1 wasn't an OS, it was only an app that ran on top of DOS. No idea about Win ME. The first true new OS after DOS in the windows family was WinNT.

Re:Yes. (3, Interesting)

dkleinsc (563838) | more than 4 years ago | (#30536990)

I'm reminded of the method of quality assurance used by the Romans: After putting in the capstone of an arch, the engineer responsible for creating that arch was required to stand under it while the wooden scaffolding was removed.

Re:Yes. (2, Insightful)

tool462 (677306) | more than 4 years ago | (#30537194)

Interesting. I can think of another field where this could be useful:

Require all fund managers to have a significant portion of their net worth in the funds they manage. If the fund collapses, they go down with the ship.

Re:Yes. (1)

TubeSteak (669689) | more than 4 years ago | (#30537048)

After a couple of years and innumerable patches, the bridge, now essentially a pile of cement over a chasm, will finally stop dropping more than a couple cars per day

We usually call that "pile of cement over a chasm" a "dam"
I used to think they were purpose built structures, but now I know that they're just a cement mixer's version of "bridge"

Re:Yes. (1)

Locke2005 (849178) | more than 4 years ago | (#30537118)

No, the first vehicle to cross the bridge should always be a heavy bus carrying the all engineers that designed it, as well as all the suppliers of materials for the bridge and supervisors for the construction. I think we'll refer to this method as "Chinese Quality Control".

Re:Yes. (0)

Anonymous Coward | more than 4 years ago | (#30537670)

The Chinese have quality control?

Re:Yes. (1)

osu-neko (2604) | more than 4 years ago | (#30538116)

Most countries have quality control. Anything that meets the standards is allowed to be sold domestically, and anything that fails is shipped to America.

Re:Yes. (0)

Anonymous Coward | more than 4 years ago | (#30537152)

Well, the original business requirements probably read "bridge must send red cars to New York and send blue cars to Paris."

The real difficulties came after release, when the business insisted the next patch must:

  1. include matter duplicator to handle cars that are both red and blue,
  2. put a giant acid lake at base of the chasm for green cars, to eliminate lawsuits from surviving occupants, and
  3. route blue cars to Paris France instead of Paris Texas

Also, the project manager promised the business the developers would be able to warp time and space "between sprints", so that the cars would reach their destination five minutes before they left.

Re:Yes. (0)

Anonymous Coward | more than 4 years ago | (#30537594)

you forget the part where the bridge engineers are handed two pieces of wood and five strings. The bridge must be at least 2 miles long. We haven't thought of a specific location yet, nor about what traffic it will have to carry. You have until yesterday. Go.

Re:Yes. (1)

jbezorg (1263978) | more than 4 years ago | (#30538176)

And if it was a Massively Multicar bridge, it wouldn't even cross the chasm all the way before it was opened.

Re:Yes. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30538710)

Next Question.

No shit. I don't understand how this got to be a story. What's next, "Should Engineers Who Design Bridges Demonstrate Competency Before Thousands of Automobiles Drive on Those Bridges?"

Going off on a tangent here.
One of my college professors once spoke in class about a former student of our school.
A bridge had collapsed and the engineer testified in court that it was his college Profs fault.
Why you might ask?
The Answer:
Because he had made the same mistake on a class project and had not been penalized for it then.

I never did find out if my professor had made that one up or if it really was based on a real case.

Re:Yes. (1)

Foofoobar (318279) | more than 4 years ago | (#30536356)

Next up on easy question theatre... why are you hitting yourself? why are you hitting yourself? why are you hitting yourself?

Re:Yes. (1, Informative)

Anonymous Coward | more than 4 years ago | (#30537518)

Code review of **every line** is best practice. That's independent, desk check style code reviews. The reviewer needs to feel they could put their name on the code, or start writing action. Any questions need to be addressed prior to the sit-down review with an uninterested moderator. Any burning questions that were not answered to everyone's satisfaction, need to be researched until there aren't any more "I don't understand" that section of code.

OpenBSD (2, Informative)

Anonymous Coward | more than 4 years ago | (#30536248)

OpenBSD does code audits. All security-sensitive applications should be, if not by the developers, by the people deploying them, if they have the resources.

Flip the question. (2, Interesting)

tacarat (696339) | more than 4 years ago | (#30536270)

How are they auditing the code of the closed source apps they're using? If there are steps in place, use those as a minimum. If there aren't, then how's the blind faith of using those programs different than what's needed for open source?

Re:Flip the question. (1)

Primitive Pete (1703346) | more than 4 years ago | (#30536414)

It's different because users of paid merchandise or services can seek legal remediation if something goes terribly wrong. The payment creates and obligation. In free software, there's no corresponding obligation, because there has been no payment. Of course, paid OSS (e.g., from RedHat) falls somewhere confusingly in the middle.

Re:Flip the question. (1)

causality (777677) | more than 4 years ago | (#30536492)

It's different because users of paid merchandise or services can seek legal remediation if something goes terribly wrong.

They must not have read the EULA...

Re:Flip the question. (4, Insightful)

BronsCon (927697) | more than 4 years ago | (#30536524)

It's different because users of paid merchandise or services can seek legal remediation if something goes terribly wrong. Unless, of course, the license agreement specifically states that there is no guarantee of the program's fitness for any specific purpose.

There, fixed that for ya.

Re:Flip the question. (1)

corbettw (214229) | more than 4 years ago | (#30536820)

IANAL, but that clause would be trivial to toss out. If a company is marketing their software as "the best financial package available" and a giant bug in it then causes massive losses for their customers, leaning on that clause just ain't gonna cut it.

Re:Flip the question. (0)

Anonymous Coward | more than 4 years ago | (#30536884)

you should spend less time having anal sex and more time understanding basic law. It might keep you from being horribly wrong.

Re:Flip the question. (0)

Anonymous Coward | more than 4 years ago | (#30537782)

in that case you might just get your money back...

Re:Flip the question. (2, Informative)

Kjella (173770) | more than 4 years ago | (#30537872)

IANAL, but that clause would be trivial to toss out

Lawyer: "I'm not a software developer, but it's trivial to use that java library in a C# application"

That's about how many orders of wrong you are here. I also play my share of lawyer on slashdot, but I know how to read cornell.edu - and it's amazing how much better the discussion would be if most people had - but I also know when to STFU and not make a fool out of myself. Like in this case UCC 2-316. Exclusion or Modification of Warranties. [cornell.edu] which quite clearly states that you can exclude any implied warranty of fitness or merchantability. You may get around that if you prove the disclaimers are unconscionable, but that's a tall order and not in any case trivial. Maybe for things that are more malice or fraud than incompetence, or in case of personal injury which is why software often explicitly exclude any such use.

Re:Flip the question. (1)

corbettw (214229) | more than 4 years ago | (#30538026)

Lawyer: "I'm not a software developer, but it's trivial to use that java library in a C# application"

There are ways to do exactly that. A quick Google search turned up this discussion [bytes.com].

If a company is selling a financial accounting package, and tries to state in their disclaimer that the software is "not fit for any particular purpose", I really can't see a judge signing off on that. Free software, because there is no contract between the parties, can get away with that. But when there's a contract you have to be much, much more explicit to avoid things like this.

Re:Flip the question. (0)

Anonymous Coward | more than 4 years ago | (#30539142)

I must be truly clever, because I can debug all my own code...

Re:Flip the question. (1)

GasparGMSwordsman (753396) | more than 4 years ago | (#30537922)

It's different because users of paid merchandise or services can seek legal remediation if something goes terribly wrong. Unless, of course, the license agreement specifically states that there is no guarantee of the program's fitness for any specific purpose. Except, of course, when/where the law states that there is an automatic guarantee and automatic liability.

There, fixed that for ya.

Re:Flip the question. (2, Insightful)

minsk (805035) | more than 4 years ago | (#30536538)

The payment creates an[] obligation.

An obligation to include vicious anti-liability clauses and avoid any admission of wrong-doing?

Re:Flip the question. (1)

CastrTroy (595695) | more than 4 years ago | (#30536726)

Has anybody sued MS and won because there was a bug in their product? Do you think you could sue any sizeable software company and get any money out of them because you lost money due to a bug in the product? Unless you are hiring a company to do custom software, and it's spelled out in the contract, there probably isn't much of a recourse for anybody who loses money/data due to a bug in software.

Re:Flip the question. (2, Funny)

schon (31600) | more than 4 years ago | (#30536940)

Has anybody sued MS and won because there was a bug in their product?

Of course not. Everyone knows that MS products don't have bugs.

Re:Flip the question. (1)

mrisaacs (59875) | more than 4 years ago | (#30536442)

It's not uncommon for large organizations to require access to code, have a third party audit it, or require some form of liability insurance from the vendor when closed source code is purchased. There's also the not very reliable, and very dangerous, assumption that vendors have already vetted the code against malicious/non-secure code.

For open source code - there's no-one accountable vouching for the code or offering insurance - so organizations are forced to audit the code Plus there's the usually wrong, overly paranoid but safer assumption that the code might well harbor something malicious/non-secure.

Re:Flip the question. (0)

Anonymous Coward | more than 4 years ago | (#30536568)

That would be why you purchase support for the OSS product for that very exact reason.

Re:Flip the question. (1)

mrisaacs (59875) | more than 4 years ago | (#30537140)

Assuming you're buying a package from someone, in which case you're buying from a vendor. See my original comment for what's expected from a vendor.

No, don't flip the question. Answer it. (4, Insightful)

elnyka (803306) | more than 4 years ago | (#30536708)

How are they auditing the code of the closed source apps they're using? If there are steps in place, use those as a minimum. If there aren't, then how's the blind faith of using those programs different than what's needed for open source?

Flipping the question does not answer the original one, which is a valid one and which deserves an answer. The answer is, just like anything, it depends. It depends on the open source artifacts in question; it depends on the specific audit/security requirements; it depends on how critical the app under development is; it depends on SLA agreements (if one exists and requires it.)

As you said, if there are steps in place, use those as a minimum, provided that they are sufficient for the requirements at hand.

If there aren't any, you can't just cross your arms and say "well, if I didn't do them with COTS, why would I with FOSS"? If there aren't, and your project requires them, then shit, you implement them.

The question of whether to sec audit something, be it COTS or FOSS is predicated by the requirements at hand, not on whether a previous usage of COTS (or FOSS) was properly audited in the past.

Re:No, don't flip the question. Answer it. (1)

tacarat (696339) | more than 4 years ago | (#30536976)

That's a great follow up line of thinking for folks that flipped the initial question. No mod points, though :(

Re:Flip the question. (1)

nitehawk214 (222219) | more than 4 years ago | (#30536754)

How are they auditing the code of the closed source apps they're using? If there are steps in place, use those as a minimum. If there aren't, then how's the blind faith of using those programs different than what's needed for open source?

Good point... however I would posit that somebody had better be auditing the code, be it open source or closed. In the closed case, it should be the vendor itself, or a neutral 3rd party. Now granted there is no guarantee that it is done properly in the closed source case, but that should be part of the vendor's liability. (yeah yeah, vendors dont take liability for shrink-wrap software, but they typically do for custom projects)

As far as open source goes... none of us have the time or manpower to audit all of Apache or Linux. But with giant projects that millions of popele use, and have entire industries designed to support, we dont need to audit it. Smaller apps with few users should be scrutinized more closely.

Re:Flip the question. (1)

Coz (178857) | more than 4 years ago | (#30536922)

Someone should be auditing Apache and Linux, and it had better be the vendors making the cash off it. If Red Hat and the others aren't reviewing the code base regularly, I want to know what my support contract's paying for. I should receive an assurance that the system has been audited for most known vulnerabilities, and every patch should have eyes on it (besides the maintainer's) that look for obvious things (buffer overflows, SQL injection vulnerabilities) and oddness (the nightmare of a multi-patch Easter Egg full of badness from a malicious source).

That last bit is one of the things I have to fight most when recommending Open Source to non-techies. I've had them talk about the Jurassic Park scenario, where someone embeds lots of littls things in the code and then they know how to trigger a catastrophic reaction. The easy security vulnerabilities are treatable with monitoring and audits - it's an order of magnitude harder to audit a whole change trail.

Re:Flip the question. (1)

digitalunity (19107) | more than 4 years ago | (#30537836)

That's an inescapable reality and it's not unique to closed or open source software. You always have to contend with the fact that the developer may have left a bug intentionally that allows remote code execution or privilege escalation.

You can audit code all day long, but the chance of a something getting through is high. You might be able to take a small application and with some assurance say it's bug free, but you'll never ever accomplish such a feat with a large project like the Linux kernel or the entire GNU userland.

As with all things, we have to take security vulnerability discoveries as they come and keep a watchful eye on code quality and readability.

Re:Flip the question. (1)

Kartoffel (30238) | more than 4 years ago | (#30537538)

IVV under NDA. Independed validation and verification under non-disclosure agreement.

That is, if anyone in private industry bothers to buy source and have it independently audited.

It's not even really a question (4, Insightful)

BadAnalogyGuy (945258) | more than 4 years ago | (#30536326)

The answer is Yes. When you run software, you are running it under 1 of the following 3 assumptions:

1. You implicitly trust the vendor
2. You have tested it yourself and trust your tests
3. You are oblivious (the vast majority of users are)

What's more, since Open Source software lacks any single person you could possibly sue in case things go terribly wrong, it makes sense to mistrust it a priori. OSS isn't magically secure because it is open. It still needs testing and validation if you intend to run it in any serious corporate environment.

To simply accept a software package without assuming it is riddled with bugs and security vulnerabilities is foolish. No matter if it is a proprietary software package or an Open Source community project, any sane CIO will want some sort of evidence that the product will not end up losing them money and customer trust due to security vunerabilities.

Re:It's not even really a question (5, Insightful)

jimbobborg (128330) | more than 4 years ago | (#30536392)

What's more, since Open Source software lacks any single person you could possibly sue in case things go terribly wrong, it makes sense to mistrust it a priori. OSS isn't magically secure because it is open. It still needs testing and validation if you intend to run it in any serious corporate environment.

I still hear this every once in a while. So my question is, has anyone ever sued Microsoft for loss of data/trust? Have you not read the EULA?

Re:It's not even really a question (1)

poopdeville (841677) | more than 4 years ago | (#30537592)

The EULA might be irrelevant, depending on the specifics of the case. In particular, there is a notion of an "implied warranty", that no EULA can break.

In common law jurisdictions, an implied warranty is a contract law term for certain assurances that are presumed to be made in the sale of products or real property, due to the circumstances of the sale. These assurances are characterized as warranties irrespective of whether the seller has expressly promised them orally or in writing. They include an implied warranty of fitness for a particular purpose, an implied warranty of merchantability for products, implied warranty of workmanlike quality for services, and an implied warranty of habitability for a home. ...
An implied warranty of fitness for a particular purpose is a warranty implied by law that if a seller knows or has reason to know of a particular purpose for which some item is being purchased by the buyer, the seller is guaranteeing that the item is fit for that particular purpose.

Re:It's not even really a question (1)

Orion Blastar (457579) | more than 4 years ago | (#30537630)

I worked for one of the law firms that Microsoft hires to defend themselves from law suits. They may have even written part of the EULA that waves the right to sue for damages and lost of data.trust.

But if anyone does sue them, Microsoft can afford the best lawyers to fight it, and run up costs until it is a Pyrrhic victory [wikipedia.org] that cost more in legal fees and court fees than they won from Microsoft.

Re:It's not even really a question (1)

haruchai (17472) | more than 4 years ago | (#30539726)

Is that how things work in the US? I'm pretty sure that the loser has to reimburse the winner of a lawsuit for costs and fees in Canada. Also, the judge's has the right to cap the amount that must
be re-imbursed - this is useful when one party has much greater resources that the other or when
the judge feels that certain tactics were inappropriate.

For example, let's say I sue M$ for infringement of something I created and they start burying me in paperwork ( I can only afford basic legal representation ), use various methods to drag the case out for years, and then, after winning the judgment, stick me with a multi-million dollar bill for their high-falutin' Shylocks, etc.
I can petition the judge to cap my costs ( there's a legal term for this but I can't remember what ) - it's not unusual for the decision to be about the same as what I paid for my own lawyer.

Re:It's not even really a question (1)

alvinrod (889928) | more than 4 years ago | (#30538358)

If that were enough to guarantee that it would be impossible to be held legally responsible for product failures or shortcomings, it would be sufficient to attach a EULA to all medication that states the provider is not in any was responsible for death or disability caused by the drug. There's no way something like that would hold up in court if people experience severe problems from the drug.

Microsoft might be responsible if they advertised their product as never causing any problems or resulting in loss of user data under any circumstances or entered into a contract in which they claimed responsibility for data loss due to their software or losses due to security breaches. I'm guessing that they don't explicitly ever state this point and don't enter into any legally binding contracts that make them financially responsible for those problems.

If people have problems with Microsoft software, either Microsoft can offer to help or resolve the issue, or the company can migrate away from Microsoft solutions. They could file a lawsuit, but it would probably be difficult if not impossible to prove that Microsoft software was the entire cause of the problem. If someone didn't apply patches, there's some conflict with other third party software, or any other number of possible scenarios that cast doubt on the fault resting with Microsoft, the companies legal team would probably not recommend going to court over it.

Microsoft software may have all kinds of problems or issues, but I've never seen Microsoft state that this wouldn't happen. All you normally get is some "The best computing money can buy!" marketing fluff which really doesn't mean anything as 'best computing' is completely open to interpretation and has no legal definition. Hell, everyone claims to have the best computer experience money can buy for some definition of "best computer experience".

Re:It's not even really a question (1)

causality (777677) | more than 4 years ago | (#30538602)

If that were enough to guarantee that it would be impossible to be held legally responsible for product failures or shortcomings, it would be sufficient to attach a EULA to all medication that states the provider is not in any was responsible for death or disability caused by the drug. There's no way something like that would hold up in court if people experience severe problems from the drug.

I think it makes a difference that drugs are both intended for human ingestion. Drugs are also regulated by the FDA, and my point there is that the law has already decided that this is one thing that could be dangerous without regulation. No one eats software, and no government body exists that was specifically designed to regulate it.

Re:It's not even really a question (1)

Xtifr (1323) | more than 4 years ago | (#30539128)

What's more, since Open Source software lacks any single person you could possibly sue in case things go terribly wrong

Let's rephrase that--may lack. There's plenty of ways you can arrange to have OSS that has someone to sue. Most of those ways involve payment, however, which seems like a reasonable trade-off for the assumption of that risk.

At risk of sounding redundent, yes. (1)

plopez (54068) | more than 4 years ago | (#30536336)

You *think* the VPN and encryption software is secure. But flaws have been found in the past. The the basic underlying strategy of security is a multi-layered defense.

Ummm... why *wouldn't* you do this?! (0)

Anonymous Coward | more than 4 years ago | (#30536360)

If you're trying to build a secure system, why would you *not* audit every piece of code, open- or closed-source? Doesn't kinda defeat the purpose if you have no idea how secure a piece of software you depend on is? For that matter, is there anyone on /. that would (seriously) suggest the opposite?

I hate modern Project Managers (1)

Herkum01 (592704) | more than 4 years ago | (#30536400)

The fact that this question has to even be asked, tells you a lot about how applications are developed.

The US has dedicated itself to a race to the bottom in quality and price. Testing is just one of those things companies throw out because it is an expense with no obvious benefits, to those who are not vested in the long term for their products.

Re:I hate modern Project Managers (1)

causality (777677) | more than 4 years ago | (#30536526)

The fact that this question has to even be asked, tells you a lot about how applications are developed.

The US has dedicated itself to a race to the bottom in quality and price. Testing is just one of those things companies throw out because it is an expense with no obvious benefits, to those who are not vested in the long term for their products.

Well of course. Concerns about larger long-term benefit might interfere with the All-Important concern about lesser short-term gain.

Re:I hate modern Project Managers (0)

Anonymous Coward | more than 4 years ago | (#30536606)

There is no long term. The company could be sold, in five minutes. A scandal (made up or not) can do more harm than any management decision. The next 'green/eco friendly/non fat/low sodium' fad could make the company instantly worthless etc.

Re:I hate modern Project Managers (1)

causality (777677) | more than 4 years ago | (#30536710)

There is no long term. The company could be sold, in five minutes. A scandal (made up or not) can do more harm than any management decision. The next 'green/eco friendly/non fat/low sodium' fad could make the company instantly worthless etc.

That mentality comes precisely from the thought process I mentioned. Get enough people to buy into the idea that short-term gain is all that ever mattered, and that becomes your new business reality. That is, it's a consensus reality. Those who see that it's the business reality will swear that it must have always been that way.

BTW, companies which diversify tend to be more resistant to fads. A sale of the company would change the ownership, but the new owners may ignore long-term strategy just as surely as the old owners did. A scandal can be great publicity, I bet their main concern would be whether the media spelled their names correctly.

Re:I hate modern Project Managers (1)

flajann (658201) | more than 4 years ago | (#30536856)

The fact that this question has to even be asked, tells you a lot about how applications are developed.

The US has dedicated itself to a race to the bottom in quality and price. Testing is just one of those things companies throw out because it is an expense with no obvious benefits, to those who are not vested in the long term for their products.

There is so much pressure from the business side to rush to market that corners are inevitably cut, and the first place that usually gets cut is testing.

The realities of today's high-tech business world almost demands that you release crappy code NOW just to get your foot in the door of the market share. You can always release upgrades after the poor fools have bought into your software.

In an ideal world, everything should receive security audits before release. If you are Big Company releasing to Open Source, you may not want to spend the extra $$$$ on security audits unless you see a clear ROI for you. Besides, you should be able to trust your own developers, anyway. And if you can't, releasing your stuff to OSS or FOSS is the very least of your concerns!!!

As for encryption-specific security, that requires a special level of auditing, and your reputation is clearly on the line if others suffer due to a flaw in your encryption/protocol schemes. In that case, AUDIT LIKE HELL....

Re:I hate modern Project Managers (1)

Locke2005 (849178) | more than 4 years ago | (#30537138)

Why should I pay people to test my products when I can get my customers to pay me for the privilege of testing my products? (No, I don't work for Microsoft -- I'm just playing Devil's Advocate here.)

Re:I hate modern Project Managers (1)

GaryPatterson (852699) | more than 4 years ago | (#30540024)

*You* test to make sure the product is saleable.

*They* test to make sure it meets their needs.

If you don't do your part, they won't even get to their testing, as your product won't be considered.

It all depends.. (1)

natehoy (1608657) | more than 4 years ago | (#30536404)

If you want publicity in any way you can get it, feel free to skip testing. Data breaches make good news. It may not be the kind of publicity you want.

Seriously, it depends on your level of trust and you level of need for security. Though, if you are using a supposedly secure transport, I imagine your need for security is relatively high. Besides, you are putting your trust in an external company, which means if that company gets breached your data is right there. If you don't encrypt it with a second layer, anyone who gains access to your VPN provider also owns you. You have just extended your circle of trust to include all of the employees of your vendor, a whole bunch of people you will never meet. If they have cleartext access to your data, you have a problem.

Security is done in layers. If someone breaches one layer, it's best if they get stopped by another. The more layers (within practical limits) the better.

To put it another way, as wed128 so succinctly put it above, "Yes." Though I'd add "HELL, YES!" about 100 times after it.

yes (1)

Sir_Lewk (967686) | more than 4 years ago | (#30536408)

I think the answer reasonably is anywhere between "yes" and "absolutely yes". For example, auditing should probably be considered very important for software such as slashdotter Fyodor's Nmap.

You can't trust everyone in the open source community to be completely white-hat all the time...

It all depends... (1)

malkavian (9512) | more than 4 years ago | (#30536430)

If you have the resources to vet the code without draining resources, then it may be useful for you to do it. If you use closed source code, you just have to trust that (and maybe black box test it). At a minimum, test everything to the same standard.
If you barely have the resources to cobble together a quick and dirty IT system, then trying to security test open source software may not be the best way to grow your company (unless that's what you're intending to do as your business, in which case, you'll probably need more than the quick and dirty IT system).
If you rely on being as secure as possible, and any breach would be the end of you, and you also have loads of spare cash rattling around (*Cough* Financials *cough*), then having an extra possibility of vetting is never something to be sniffed at. Get a bunch of people to pore over it. If they find holes, submit patches and patch internally as required.
Still, you're only as secure as the bunch you hire to vet the code.. If you give it to 'a person' to vet, and they happen to put in a back door..
It really all depends on where you think the biggest risks are, and who you choose to trust. But it's still nice to have the extra chance to at least look if it worries you.

Not just a security question (1)

Brett Buck (811747) | more than 4 years ago | (#30536512)

It's not just a matter of security. I would think you would want to verify, via some method (code review, etc) that the code is correct and provides the desired results, doesn't crash, is properly integrated, etc.

        Brett

Re:Not just a security question (0)

Anonymous Coward | more than 4 years ago | (#30536838)

Thanks for reminding me at the bottom of your post that your name is Brett, just in case the "by Brett Buck" byline was not sufficient. Without seeing it twice, I might not have realized what your name was and might not know who to credit out of the 6-ish billion people I don't know on this planet.

              Anonymous Coward.

security tests (1)

viralMeme (1461143) | more than 4 years ago | (#30536550)

> companies may be wondering if they should conduct security tests of their customized open source software before deployment ..

If they haven't already conducted penetration tests before deployment and implemented a secure irrevocable auditing system, then they shouldn't even be in the business ..

I can see... (1)

gregarican (694358) | more than 4 years ago | (#30536566)

...the next question that's a posted article [rubs crystal ball]Is Code Testing of Open Source Apps Necessary?[/rubs crystal ball]

Of course it is! (1)

shking (125052) | more than 4 years ago | (#30536572)

The consequences of fixing a problem while it's being exploited are usually much more severe than not having the problem in the first place. Proactive security [openbsd.org] is the way to go. That's why BUGTRAQ is peppered with statements like, "This problem was fixed in OpenBSD about 6 months ago"

Of course! Read about the Farewell Dossier (0)

Anonymous Coward | more than 4 years ago | (#30536630)

http://www.nytimes.com/2004/02/02/opinion/02SAFI.html?th

and here

http://en.wikipedia.org/wiki/Farewell_Dossier

I thought auditing was the whole point (1)

bonch (38532) | more than 4 years ago | (#30536716)

Uh, isn't one of the points of open source that you have thousands of eyeballs auditing the code? What the hell kind of question is this to ask, really?

Re:I thought auditing was the whole point (0)

Anonymous Coward | more than 4 years ago | (#30536958)

A question asked in the real world of software development for business.

Re:I thought auditing was the whole point (0)

Anonymous Coward | more than 4 years ago | (#30537234)

Uh, isn't one of the points of open source that you have thousands of eyeballs auditing the code?

This should be "thousands of eyeballs potentially auditing the code". Outside of the kernel there ain't much auditing going on.

Re:I thought auditing was the whole point (4, Insightful)

Anonymous Coward | more than 4 years ago | (#30537354)

The funny thing is, how many people are actually eyeballing the code? Are you, or do you just assume thousands of other people are?

Re:I thought auditing was the whole point (0)

Anonymous Coward | more than 4 years ago | (#30537570)

automation silly

Re:I thought auditing was the whole point (0)

Anonymous Coward | more than 4 years ago | (#30540026)

how many people are actually eyeballing the code?

At the risk of stating the obvious, the fact that anyone CAN view the code is just a little more important than the exact number of eyeballs.

Most code auditing is deeply flawed (1)

Lewxuy (1706544) | more than 4 years ago | (#30536770)

The problem is that code auditing generally tries to detect bugs. Even in the best case scenario where you can have a complete, manual audit of the entire codebase, you will miss many, many bugs. A much cheaper and in many ways better option is to just take a look at the code. Would you be proud of having written it? Ashamed? If you'd be ashamed of it, I say auditing is useless - there will always be vulnerabilities you've missed. If you're proud of it, an audit might be worth the cost - but, then, you could also spend the money on refactoring the code, use more privilege seperation, add better input validation, more sanity checks...

In a perfect world, all code would be statically checked, audited manually and by automatic tools, etc. But we're not in a perfect world. Auditing is very often NOT the best thing to spend money on.

Bear in mind that security is only as strong as it's weakest link. Do you trust the framework you're building on? The libraries you use? The OS? Your cloud provider?

Sun Microsystems? Oh, you mean ORACLE! (1)

mmell (832646) | more than 4 years ago | (#30536792)

I'm sure they're just opensourcing the bits of Sun's portfolio that they didn't want - sort of a cheap and easy way to divest themselves of responsibility for code and products they didn't want when they took over Sun.

Rest assured, any bits they feel will help them make Oracle an even more ubiquitous player in the database niche of IT will not see the light of day any time soon. Frankly, I'm surprised they haven't killed MySQL yet (although they may have plans for it; and the fact that it was previously open-source may make it impossible for them to truly kill it).

Anybody here trust Oracle? I mean, I've worked with their products before, and while I don't want to say anything denigrating or derogatory about them here I'm just glad that's worked with before (past tense) and not work with (present tense).

Of course you should audit them (1)

Fujisawa Sensei (207127) | more than 4 years ago | (#30537042)

Companies should audit the code for these apps the same way they audit Linux, Bash, JBOSS and the various other OS applications they deploy. Why should this code be any different.

Of course you should (1)

dirk (87083) | more than 4 years ago | (#30537146)

Being open source in now way means a program is bug free, or even does what it claims. Sure, chances are someone else has already found if there is something horribly wrong, but the whole point of it being open source is so you can audit it yourself. If you don't bother to actually look at the code, it might as well be closed source, since you aren't looking at the code anyway.

Oh, for crying out loud. (1)

jthill (303417) | more than 4 years ago | (#30537176)

Somebody said "it depends" with a certain level of sarcasm above, but I'm going to say it in all seriousness, and echo the "why was this posted" question, also coming from a different angle.

The headline says "open source apps" without qualification, so I'll address all open source apps first

The criteria for wanting an audit are the same, and not all software requires an in-house audit for various and I would have said obvious reasons.

But there are some observations that apply to open source that do not apply to closed source:

Every single proprietary-software vendor on the planet has a huge incentive to find major flaws in every competing product, but only with open source do they have the opportunity.

More specifically addressed to open-source security software, but still widely relevant:

The open-source security components are available for any use (BSD) or any open-source use (GPL). They get re-used. OpenSSL is surely among the most intensively-audited software components on the planet, not least because banks use it to protect financial transactions of all sizes. And OpenSSL is everywhere.

That leaves the following summary of my answer:

  1. For applications where simply trusting that any broadly-used software is secure enough, there's no substantial difference in the considerations, and the answer is virtually always "no".
  2. For applications that have major security implications — say, whole-disk encryption or multi-user system security or communications security — open source has a decided advantage because all of the many interested parties can audit at any time, and all have various motivations to publicize negative results. You might still want to do it anyway, but you'd want to do it for both kinds, because
  3. And where human life and similarly vital considerations are involved, you are going to be doing one no matter what.

And now for something completely different: /. editors, don't you know that sometimes it actually matters?

This story scarcely have been intentionally constructed to more reliably produce a sales pitch for closed-source companies: "Here's a world-famous bastion of open-source advocates — ask any of your geeks, they'll know about slashdot — and look at this, almost everyone there says you have to audit open source. Do you have the resources to do that? No? That's what we thought, so we can dismiss that idea. Now, let's talk."

And that's precisely because the headline doesn't even mention the "security" part. It's "Open Source Apps". All of them. Even here, not reading the summary is rampant. How closely do you think a busy manager who starts out suspicious of the whole idea is going to examine this?

Bad money drives out good.

Audit the FOSS projecta, not the code (2, Interesting)

cenc (1310167) | more than 4 years ago | (#30537210)

Open source code development by definition is a sort of "self-auditing" process. That is all good. The bigger problem that is unaddressed in the the FOSS community at large that I see is when the projects that run them fall apart. For example, in this case is the Sun going to set on Sun is still not known. What about Mysql?

More commonly it is the problem of rag tag bands of volunteers (that are increasingly novice these days), where a couple major players move the project along and if something happens to them the project goes off the rails. The rather high profile example of this was CentOS fiasco earlier this year.

I know everyone is going to come back and say things like, "if you don't like it, fork it". That is a nice sentiment, but much harder to do in practice. Often it is like saying if you don't like the service you get at Wall Mart start your own department store chain, bank, pharmacy, or whatever. Not something even most larger companies can do, let alone end private users.

We need a system for auditing and reviewing open source projects for their viability and overall health so users (individuals, companies, and other projects that depend on them) can make real decisions about using what they produce. Right now it is more of an art than a science to determine if a project is going to live. I am not saying limit open source creativity or stop small projects, but provide transparency as to the health of the projects. We can see the structure of the code, we should be able to see the structure of community that builds and maintains it.

looks like the point has been lost (0)

Anonymous Coward | more than 4 years ago | (#30537320)

uh... look.. part of the whole point of open source software is the fact that it CAN be audited! any and all software should be audited and tested to its fullest extent before going into production. i know this doesn't always happen in the corporate environment, but that does not change the fact that it SHOULD be done! people are right, just because something is open source doesn't mean it's automagically secure, it means that people can audit code and submit bug reports when they find insecurities which, in turn, lets the developers make the code more secure. Christ, why does this question even need to be posed? has everyone forgotten how the open source community is supposed to work? i think it may just be that the corporate people are coming in without a clue.

The answer is clear (1)

El Nigromante (1059332) | more than 4 years ago | (#30537382)

Not necessary if the application is not critical.

CERN's LHC and my bank's software system are typical examples of critical applications. My neighbour's wifi router is not.

Re:The answer is clear (1)

CoccoBill (1569533) | more than 4 years ago | (#30537666)

In what regard is CERN's LHC software critical to you? Your neighbor's wifi router can be critical to your neighbor, and it most likely is to its manufacturer. I'd be hesitant to call any piece of software more complex than "hello world" categorically non-critical. If it's made publicly available or sold, the maker is^Z should be responsible that it doesn't eat anyone's babies, unless of course that is its purpose.

Sure, but make it voluntary (1)

cryfreedomlove (929828) | more than 4 years ago | (#30537634)

If there is a good reason to do this then companies will do it because it serves their own self interest.

Re:Sure, but make it voluntary (1)

couchslug (175151) | more than 4 years ago | (#30539814)

"If there is a good reason to do this then companies will do it because it serves their own self interest."

That statement presumes enlightened self-interest on the part of those companies...

Due diligence (1)

seifried (12921) | more than 4 years ago | (#30538012)

"Due diligence". That's all I have to say. Do I audit the code for my personal website? No. Would I audit code for a large commercial site? I should think so.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...