[Glade-users] Software Licencing



G'day Shivdeep,

Please advise your company that availability of source code does not
necessarily create a security risk, unless the software is already
written insecurely.

Many very critical components of the internet infrastructure are built
from source code that is freely available.  Knowledge of the source does
not mean it can be successfully broken into.

If you already know your software is insecurely written, I urge you to
have it properly fixed to be secure. If you think that your company has
the wrong idea about software security, then it is probably up to you to
fix their idea.

See also http://opensource.org/advocacy/faq.html, which I shall quote:

"Doesn't closed source help protect against crack attacks?

This is exactly backwards, as any cryptographer will tell you. Security
through obscurity just does not work.

The reason it doesn't work is that security-breakers are a lot more
motivated and persistent than good guys (who have lots of other things
to
worry about). The bad guys will find the holes whether source is open or
closed (for a perfect recent example of this see The Tao of Windows
Buffer
Overflow).

Closed sources do three bad things. One: they create a false sense of
security. Two: they mean that the good guys will not find holes and fix
them. Three: they make it harder to distribute trustworthy fixes when a
hole is revealed.

In fact, open-source operating systems and applications are generally
much more security-safe than their closed-source counterparts. When
the "Ping o' Death" exploit was revealed in 1997 (for example) Linux had
fix patches within hours. Closed-source OSs didn't plug the hole for
months.

Alan Cox has written an excellent article on The Risks of Closed Source
Computing."

-- 
James Cameron
Software Security Response Team, Asia/Pacific
Compaq






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]