web tier @ your service!

« Apache HTTP Server +... | Main | real-time log file... »

Open source quandaries: will it be [more] secure, sustainable?

Sunday Dec 31, 2006

Wish you A Happy & Prosperous New Year, 2007!!

Over the Holidays break, we were visited by a longtime friend of mine (who works for Microsoft and apparently filed a joint patent with, none other than, Bill Gates!). Anyway, we were chatting various things and I had mentioned being open is the overwhelming theme at Sun these momentous days at Sun. For the unconvinced, there is plenty of evidence on this and it starts from now famous Jonathan's blog . From microprocessor design (OpenSPARC)to operating system ( Open Solaris ) to Java SE ( Open JDK) and Java EE ( GlassFish), open sourcing is big and hot at Sun. Hopefully, 2007 will see Sun Java System Web Server along with Web Proxy Server open sourced as well (after 7.0 release in January).

Anyway, back to the subject of this blog. I admit upfront that I dealt with importing open sourced technologies but I don't have direct experience of open sourcing yet. Couple of recent articles that I came across made me wonder: will open sourcing make the end product (that we along with other consumers of the technology) more secure? Will it be more sustainable? Why do I doubt that? Let me start with security first.

In the latest publication in Communications of the ACM January 2007, Increased Security through Open Source Jaap-henk Hoepman and Bart Jacobs argue that going "open" all the way offers the most security. Here's a quote: "Open source enables users to evaluate the security by themselves ... enables several different and independent teams of people to evaluate the security of the system." Reasonable. Or is it? PHP is a widely adopted open source web application scripting platform. Netcraft's November 2006 survey indicates about 19.5 million domains and 1.3 million IP addresses that host Web sites now use PHP. Yet, in a recent article, "A search of the database, maintained by the National Institute of Standards and Technology (NIST), found that Web applications written in PHP likely account for 43 percent of the security issues found so far in 2006, up from 29 percent in 2005. While flaws in the language itself account for a very small percentage the total, the problems with PHP underscore the difficulty that developers--many of them amateurs--have in locking down applications written in the language." So, what do you make of it - does open sourcing make the end product more secure? Or people move on to newer, better environments as they become available?

This brings me to sustainability. PHP can be considered as an evolution over Perl launched in late 90s. Ruby (RoR or JRuby) framework is expected to simplify web application development further. If a technology has problems, it seems that trend is to go invent new technology rather than fixing it. How important is sustainability for open source developers? What do you think?

[3] Comments

Like this post?

Posted at 10:05PM Dec 31, 2006 by cvr in Sun
Tags:

Comments:

I think that you have a flaw in your logic. How many of the security vulnerabilities are a result of bugs in the language versus bugs in applications that happen to be written in the language? And how do the number of applications written in PHP, Perl, C++, Java, C#, etc. versus the number of bugs in those applications compare?

A novice programmer can do stupid things in any useful language. How easy it is to do something stupid is a matter of language design and not so much about the development style of the compiler or interpreter.

Posted by Mike Gerdts on January 01, 2007 at 05:25 PM PST #

Thanks for the comment. Agreed, people can do stupid things with otherwise useful language (to be fair, that's what PHP security article referred to seem to indicate). I tend to believe, though, that the deployment platform as a whole should provide protection for web application developers doing stupid things (more on this later). Regardless of where the vulnerabilities are reported, do you believe open sourcing positively benefits security and sustainability?

Posted by 192.18.43.225 on January 02, 2007 at 09:14 AM PST #

I think it's a mistake to equate security flaws in applications written using a particular language with flaws in the language itself (or with a closed or open development environment). Many people write terrible code in Java, C#, C, C++, Perl, PHP, RoR, etc. The open-sourceness of some of these language engines doesn't automatically mean apps developed on top of them are also open, or that the app implementations will be better or worse than they would otherwise have been.