Data Protection and Security

   

VI

Operating System Security and Secure Programming

    

VI.IV

Secure Software Development

    
   
 

On Open Source and Closed Source:

Software which have intellectual property to protect or cryptographic key to remain private should use a mechanism to keep secrets in code. Probably the most popular way to keep secrets in code is to hide the source and release only an executable version in machine code (Security by obscurity).

QUESTION: What is the problem here?
ANSWER: First, hackers don’t always need to be able to look at any code (binary or source). Second, it is easy to use reverse engineering tools that can turn machine code to something understandable.

Code obfuscation is the general idea of transforming the code in such a way that it becomes more difficult for the attacker to read and understand.

Though code obfuscation raises the bar significantly, closed source is no panacea for software security.
On the other hand, some claim for security reasons, open source software has a big advantage. They claim that letting more developers scrutinize your code makes it more likely that security related bugs are found and repaired in a timely manner.

Fallacies that go beyond confusion over the many-eyeballs phenomenon are given in the book Building Secure Software by John Viega, Gary McGraw, Addison-Wesley, 2001, as follows. Please consult this reference for more details about this discussion.

Microsoft Fallacy:

  1. Microsoft makes bad software.
  2. Microsoft software is closed source.
  3. Therefore all closed-source software is bad.

Java Fallacy:

If we keep fixing the holes in a given piece of software, eventually the software will be completely secure.

   

VI.IV.II Q

[+] Question

[-] Question

: Is this “Many-Eyeballs Phenomenon” Real?

    
   
       
 
«previous session [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] next session »
   
       
 
«proceed to previous sectionproceed to next section »
   chapter index