Therefore, the ubiquity of the software is what dictates the risk, Royal said. But that has not stopped hackers from exploiting a steady stream of vulnerabilities in Microsoft Windows and Adobe Flash, examples of popular applications often targeted by cybercriminals. "The primary difference will be in the level of skill at which a person can reverse engineer to discover that vulnerability," he said.Ĭommercial vendors will place protective layers over their code to prevent the theft of their intellectual property, Royal said. While that means less skill is need to find vulnerabilities, there is no shortage of experienced developers who can do the binary reverse engineering needed to find as many flaws in proprietary applications, Royal said. "Consequently, they - through their crypto-ignorance - implemented a terrible series of crypto-blunders," he said.Ī major difference between proprietary and open-source software is the latter's source code is available to everyone, including hackers. "They failed to execute effective security practices in requirements, design, implementation and throughout the rest of the development process," he said.Ĭryptocat published a threat model for its namesake software that is "rudimentary at best, and never identifies cryptography as being a potential weak point," Davis said. Morgan Davis, a senior trainer and engineer at Security Innovation, said it's not fair to blame open-source security."The failures of Cryptocat are not failures of open-source versus closed-source development, but rather a failure in the secure development process," Davis said. In addition, companies can be held liable for software left insecure due to negligence, Olds said. "I would argue that this forces commercial developers to pay more attention to bugs and to do more rigorous testing." "The key difference is that commercial developers depend on the quality of their product to pay their mortgages and feed their families," Olds said. "Since open source software isn't owned by anyone, there are no dedicated software maintenance people and enhancements are made by whoever can and wants them," said Murray Jennex, associate professor for computer security at San Diego State University.ĭan Olds, an analyst for Gabriel Consulting Group, agreed, saying developers paid to build software have more at stake in getting it right. However, other experts disagreed, saying that because open-source software is developed by an unpaid group of engineers, there are going to be security lapses. "I don't quite understand why open source makes it inherently risky, like somehow because software is proprietary a developer will not make a mistake." "He could have generalized the statement to: 'This is the process of software security - period,'" Royal said on Monday. The comment baffled Paul Royal, associate director of the Georgia Tech Information Security Center. This is the process of open source security." In a blog post, Cryptocat took full responsibility for the flaw and added, "We will commit failures dozens, if not hundreds of times more in the coming years, and we only ask you to be vigilant and careful.
0 Comments
Leave a Reply. |