David A. Wheeler's Blog

Thu, 21 Aug 2008

Challenges for securing closed source software

I’ve just learned of a really interesting article by Chad Perrin, “10 security challenges facing closed source software”. He starts with my Secure Programming for Linux and Unix HOWTO book’s list of “core requirements for developing secure software”, which was part of the section on developing secure open source software. My list was really simple:

Lots of people have cited that list (and the book!), including Google’s “Contributing To Open Source Software Security”.

At the time I made that list, I was primarily thinking about that list as requirements for open source software. Chad Perrin had the interesting insight that the list applies to closed source software too… and then examined what the challenges are. It’s a really interesting list, I suggest taking a look at it! He closes with a very interesting claim: “None of these disadvantages for closed source software are inflexible or absolute. There’s no reason closed source software developed by a corporate vendor can’t be as secure as an open source equivalent. It should be pretty obvious that, all else being equal, the trend is for circumstances to favor the security of open source software — at least as far as these principles of software security are concerned.”

path: /oss | Current Weblog | permanent link to this entry