Recently we had to wrestle with the Heartbleed bug. Heartbleed, was/is a major flaw in certain versions of OpenSSL, which is itself an “open source” project/application/codebase… This has had all of the armchair developers (myself included in that mix) either defending the concept of open-development or attacking it on grounds that it is less secure. I hold strongly to the former opinion that open development is a better way of doing things but that is rooted more in my personal philosophies (which I do believe have merit) and not exactly in some strong study on the issue itself.

A quick Google search shows me that most people don’t even think about it, they just speak their mind and move on (like so many other topics…) and as a result make a lot of idiotic statements one way or the other. Hopefully this isn’t just another idiotic statement adding to the noise :). That same search also tells me that very little hard research has been done on the matter to validate anyone’s opinions.

Well, now a critical error has been found in Internet Explorer and there has already been evidence of its exploitation in the wild. Internet Explorer, being developed by Microsoft, is completely closed source. The vulnerability, has been present for some time as it affects several versions of the software. Microsoft has yet to patch or fix the vulnerability and it has been publicly announced since, I believe, Sunday, April 29th.

What is my point? Simply and delicately put, stuff happens. Whether your development model is Open or Closed, vulnerabilities can (and will be) introduced into the code, either unintentionally or intentionally. Even if it is a big company like Microsoft, who I would guess, probably does pretty solid code review, or if it is an open project with tons of very intelligent people working on it and a whole community pouring over it.

I think trying to use either event as an example for or against one form of development is erroneous at best.

My-2-Cents… (and as we can all have blogs now… the world is full of “change”)

References:
http://en.wikipedia.org/wiki/Open-source_software_security
http://www.csoonline.com/article/2133727/access-control/cryptocat-vulnerability-excuse-sparks-debate-over-open-source.html
http://www.pcworld.com/article/2141740/is-open-source-to-blame-for-the-heartbleed-bug.html
http://krebsonsecurity.com/2014/04/microsoft-warns-of-attacks-on-ie-zero-day/
http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html
https://cwe.mitre.org/data/definitions/416.html
http://www.kb.cert.org/vuls/id/222929
http://www.npr.org/blogs/thetwo-way/2014/04/28/307763583/u-s-tells-users-to-stop-using-internet-explorer-for-now

1 of 1

This post has no comments. Be the first to leave one!

Join the discussion

Your email address will not be published. Required fields are marked *