Most of the hackers are not interested in breaking open source projects. Simple example is, there are not many virus for linux, not because linux is perfect, but it is open source. There is no thrill to break something that is already open :). Many hackers are breaking the system for adventure. Not to take something from the system.
Am I saying security is not needed for open source software? Definitely not. I am working on security module for Axis2/C, which is Rampart/C. I know the values of security. So, how open source projects should do security?
One comment from Dana Blankenhorn in his blog
“If there’s an application hack at Microsoft you would know who to go to. But what about open source? The answer isn’t always clear,” director of product marketing Rob Rachwald told ZDNet.Most of the open source projects are having issue reporting systems but we can't use that system to report security issues. If a company is using an open source software and they are having a security issue, the moment they report the issue in public issue reporting system, their system will be hacked. Hence, there has to be a private place where users can report the issues. One possibility is every open source projects should have a mailing address dedicated for security issues. People encounter issues can send mail to that address. For example, if there is a security hole in Project ABC provided by XYZ.com, there has to be a mailing address security@XYZ.com where security issues should be reported. If security@domain convention is followed, then most of the issues will be reported and will be solved.
One advantage of open source projects is, they will be verified by several different minds. Possibility of finding any bugs or security issues are very high. If those can be reported confidentially, then most of the issues can be solved.
0 comments:
Post a Comment