Security experts acknowledge that open source is the best model for crypto. Many eyes do indeed make bugs shallow, just so long as you can get them to look. So how do we drive improvement in the best-available model for creating security-critical infrastructure? Making Light says:
OSS culture doesn't get called "socialistic," but it's self-organizing and anti-capitalist in its own way.
Open source is indeed not socialistic, but it's also not anti-capitalist, since it depends on many developers independently responding to their own source of motivation to meet their own needs, but maximizing the benefit -- lowering the cost and raising the innovation -- by collaborating with their peers. The best way to drive improvement is to make it more rewarding, both financially and reputationally.
Tempting though it is to try to delegate the problem to Kickstarter and its like, that's not done by throwing gifts at developers. The situation has prompted a variety of writers to claim Eric Raymond's dictum -- many eyes making all bugs shallow -- is false. I disagree with them; I think Raymond has a great point, but the utopianism that sees volunteer communities as the answer stops short of understanding why people volunteer and volunteer the "many eyes." Usually it's because someone is paying them to.
That's the problem we have to fix, both short-term and long-term. Short term, we need to get a team paid to audit OpenSSL again -- it was last done in 2002. That could be crowdfunded as theTruecrypt audit was, or it could be bankrolled by some of the corporations who care about open source -- a great opportunity to show their bona fides. This should be a one-off activity, in my view.
The question of the steps beyond this -- procedural details, review boards, committees, and certifications and so on -- has proved compelling to some. These will undoubtedly form part of a comprehensive solution and need medium-term attention. Since this work is so critical to so much of our infrastructure, we may well need to look back to the early days of the Internet and create some sort of independent, independently financed brain trust from which we can staff audits and reviews.
But I don't think we have to sweat these details long term. We can safely leave that to the demand created when we identify the reason for the lack of incentive. The reason is OpenSSL is good, available, and free, for sure. But there's a deeper issue: Using it has no consequences. In the inevitable case where a failure of code or concept is discovered, no one is blamed apart from the developers. Shouldn't the commercial entities using the code have done some due diligence? Isn't their lack of investment at least partly to blame? Software freedom delivers rights. What about responsibilities?
Sign up for CIO Asia eNewsletters.