Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Shellshock proves open source's 'many eyes' can't see straight

Roger A. Grimes | Oct. 2, 2014
With so many people looking at open source code, its security flaws should be stopped dead -- but it doesn't work that way.

Even if a trained computer security code reviewer wanted to review the most popular open source code -- could they? Linux itself, even before you add a single daemon or app, has more than 15 million lines of code. In fact, I bet most people wouldn't have time to properly review Linus Torvalds' 10,239 lines of code in his original October 1991 version. Today, some popular Linux distros have all together hundreds of millions of lines of code. Good luck reviewing that in your spare time.

Crowdsourcing doesn't work
Some open source authorities have tried to crowdsource the problem, only to see a lack of interest. The Sardonix code review, one of the most valiant attempts, tried a decade ago and failed. A few people, along with a college classroom or two, participated before the effort died due to low participation.

Sometimes a commercial group or the military will get involved, but their examinations are fairly limited in scope. Even if they find bugs, their suggestions and recommendations often come under suspicion. You might wonder why anyone would object to the military fixing open source software -- until you recall stories where NIST and the NSA offer ideas that place vulnerabilities into code they've reviewed or created.

Fixing the bugs creates its own problems
Even if a serious, independent, trusted security team starts reviewing smaller pieces of code -- say, a particular service or application, such as OpenSSL -- it usually results in fragmentation or forking of the code base. (Heartbleed provides a salient example.)

In other words, the fix results in different versions of code that don't always support each other. It also means two or more versions have to be reviewed every time a change is made. This is no way to mitigate the overall risk. 

Where's the proof?
Last but not least, there's neither proof that open source software has fewer bugs, nor that the finding of more bugs by more people results in less security risk (compared to closed source). The total number of individual publicly known exploits in all software continues to rise. The number of people exploited worldwide continues to increase.

If "many eyes" worked, you'd expect to see a decrease in the number of bugs found over time, especially in software that has been out a while. You would expect open source software to be less exploitable than closed source software. But more to the point, from a scientific viewpoint, no independent study has proven that open source software has led to fewer exploits or fewer exploited customers.

The Shellshock vulnerability in Bash is the latest counterexample. Let it serve as a reminder that, logically, the "many eyes" theory was never on firm ground, and recent events have made its flaws more glaring than ever.

Source: InfoWorld


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.