Securing Open Source – Many Eyes, the Triple Fence and the Community Development Model
The open source development model is based on interactions across communities and among community members – project developers, platform creators, and end users. These interdependent communities constitute a ‘triple fence’ that keeps projects free of malicious and exploitable code in different yet complementary ways. Ideally, the various communities of developers, integrators, and end users work together to monitor, curate, and improve code quality over time – catching security flaws in the process.
The triple fence is an intriguing concept. Unfortunately, it’s not clear whether it’s enough to secure many significant open source projects – Bash, SSL/SSH and glibc, to name a few. In theory, many eyes look at open source code as it’s developed, integrated, and deployed; however, in practice, too many of these eyes are busy elsewhere and too few are security savvy. What’s missing is ongoing curation. Developers and end users take for granted the security of many projects, but the reality is that too few people maintain piles of code that may be months or even years overdue for security review.
The open source software development process, while outwardly straightforward, can be fraught with complexity. Code might be presumed mature, but could rely on technology developed a decade or more ago and might still contain significant vulnerabilities. Open source security vulnerabilities can arise from many causes, including misconfiguration by end users, programming errors, and short-sighted protocol design. Given this reality, a holistic view of security is critical for organizations that rely on open source software.
Read More (originally published on Open Source Delivers on 06/04/2015)