Security reviews became sexy nowadays, we need to make them happen
Posted on Fri 22 August 2014 in Blogging
If you're interested in software security you will have noticed that there where some bigger security problems with widely used software the last year. The attention this problems get in common media raised the last two years. We had some big security problems in the past as well, just remember the problem with all the SSH keys on Debian systems which where generated with bad entropy. This critical security problem of one of the most used Linux distributions should have had as much attention as heartbeat had.
OpenSource is not the answer for everything but the only way
For me this hopefully kills a former adoption that open source is more secure by default. This is complete bullshit in most cases. If you have a look at these open source graveyards like SourceForge, GitHub or Google Code you will mostly find a lot of dead projects with poor quality. Why I am so sure about that? Because I am part of the problem. Most of us have committed or published to some of these projects with good intentions to share something and give it to those who maybe can use it. And maybe the quality at its time was good and everything worked fine but time changes.
If I think about this today we all should delete this old rubbish to prevent it form being used somewhere else. It would be nice if source code which no one is maintaining would delete itself some day, but as long this does not happen we have to take care of it ourself or setup a proper maintaining infrastructure for it. Just because some code is open source does not guarantee that it is reviewed. Only because the code is open and could be reviewed has brought us to where we are today. I never have meet this somebody who reviews code for fun and for free all day long. And even if we have someone like Andy Lutomirski who looks like he has incredible fun doing such a job for parts of the Linux kernel there are not enough Andys around for every Open Source project.
OpenSource needs more money
All the good intentions to share the source code to make it reviewed by more people and to make it more secure does not work in all projects. We need more money to pay people to read our critical software components. Nobody will do this for free, not frequently and motivated over a long time. And we need to do it again and again and again. It is not only Truecrypt, the Linux kernel or the most used web servers that need our attention.
To do this reviews we do not only need more people at the openssl foundation or a fork like libressl. This maybe can fix the problem for openssl but not for all the other libraries which can have a similar impact when they are screwed up. There is already an infrastructure we can use to spend the money which is needed to make our systems more secure. Security always was expensive and a community of volunteers can not handle it without our support over such a long time.
We should start to spend more money for open source. Security comes at its price. Don't misunderstand this, I don't want to make every open source project to take money for their source code, but we need to establish ways to secure someone does the job nobody wants to do.
And we should make it sexy for the companies we work for to spend money, too. Some of this companies build there complete business with this free and open tools and still relay on them. If you're a grown established company, give back a piece of the cake to those who helped you to get where you are today.
What organization should we give our money
To those who support the developers doing such a great job for us. Some good candidates are:
- FreeBDS Foundation
- Linux Foundation
- OpenBSD Foundation
- Apache Foundation
- Eclipse Foundation
- Mozilla Foundation
They bring a lot of software to us we often or never recognized that we are using it every single day.