Open-Source Security Software – The Most Popular Open-Source Security Study
There’s a very large and somewhat unscientific body of research that has shown that open-source software is much more secure than closed-source software. This body of research consists of a small number of highly reputable studies conducted by academic institutions across a wide range of fields over a number of decades. These studies have consistently shown that open-source software is very much more secure, both technically and as a matter of practicality (i. , the level of trust that users can rely upon).
These studies have also shown that the general consensus on the level of security of open-source software has been fairly stable over a number of years, with most researchers agreeing that it still holds up today (this is one of the many reasons why we believe in open-source software to be a great idea).
It is no surprise, then, that the most popular open-source security study out right now is a study from Carnegie Mellon University that has been cited more than 1,000 times and has been downloaded more than 1 million times. This study was initially published in 1999, and it has received over 3,000 citations since. The full paper that this study was based on — Carnegie Mellon University Security Engineering Paper-1 — can be accessed in PDF format here.
“The goal of an investigation is to document what is available, what has been tested, and what has been shown to be effective and practical. The investigation must then provide an assessment of the level of confidence that users (i. , the end users of the products) can rely upon.
“The goal of an investigation is to document the level of security (or lack thereof) and the confidence in the level of security that users can rely upon.
“The goal of an investigation is basically to document the level of confidence that users can rely upon. If this level is low, the investigation has concluded that the product is insecure.
“The goal of an investigation is to describe the level of security available.
Where Does Your Enterprise Stand on the Open Source Adoption Curve?
Scorecards in the Open Source Adoption Curve, Part 2.
by: Steve W.
In its first installment, “Scorecards: The New Open-Source Security Software,” in the December 2009 print edition of InfoSecurity, I described a number of new software products being produced by Google which, according to the information I cited, can provide information security personnel with a valuable tool for assessing the maturity of open-source software technologies from the viewpoint of their intended roles. The companies I quoted—the “NexGen” project for example—are offering tools that enable organizations to “measure and evaluate the software maturity of open-source software” in order to “promote use of such a technology in the development process.
This second part of the InfoSecurity article will focus on Google’s new open-source security software and how it performs when deployed for use in a high-compliance setting. Google’s “NexGen” products for example are being offered by products from three different research groups specializing in information security. One (and only one) product is being offered at this time by the Center for Information Technology Research (CITRIS) at Carnegie Mellon University.
What follows in this second part of the blog will be the second in a series where I will be discussing the Open Source Adoption Curve (OSAC). This is a tool which I have written about and which measures and compares open-source software security maturity in such a manner as to enable organizations to evaluate the security of open-source software products based on their intended roles. The OSAC is not a measure tool, or a ranking tool, but rather a tool which facilitates the comparison of security maturity of open-source products.
One of the first things I did when I first found out about the OSAC was to ask my readers how they felt about it, and they have been enthusiastic, if not downright enthusiastic, about it from the beginning. Many people have commented on it from the beginning, and they say that it’s not a threat to their security posture.
Vulnerabilities in Open Source Software
“Forget about all the things that you’ve heard about security. Your computer will be much more secure because Google designed the security program for you. ” This is what the title of my keynote for the upcoming Google I/O Security Summit, “What You Need to Know About Google Security Programs,” suggests. The point of my talk to a Google Security Summit audience of about 40 developers at the Google I/O booth at the Google headquarters in San Jose, California, was to reiterate what the audience had heard more than once in the past: that all Google security programs are new and that they are the most secure, yet most opaque, security program in the world.
In fact, the audience is not in the least bit surprised by the statement. This was a theme I had heard expressed many times over my career: that the only security programs worth a darn are those written by companies that have the biggest marketing departments in the world, and that Google Security Programs are the only security programs worth writing.
Google Security Programs are not new, and I don’t think anyone here at Google would deny this. What they do, however, is create more friction than Google’s previous security programs; there is considerably less opportunity for Google’s security experts to sell you on the value of their new security products because they are so new.
So what do I mean by this? Let’s talk about it a little more carefully.
Now, all of you have already heard me talk about how Google Security Programs are all open source, free, and open-source — so there is no doubt that they are more than just Google Security Programs. The problem that I have with the statement that “Google Security Programs are the most secure, yet most opaque, security program in the world” is that it makes it sound like Google only has one security program that does what it has been asked to do. In other words, it sounds like the only way to be sure Google is secure is to go buy the most secure security program, and that security programs are only good if they are open-source and free.
All of this is simply false.