« The Impossible Becomes Real: REST "security" understanding reaches new lows | Main | PHP Security Redux »

Comments

James

Liferay Enterprise Portal has already jumped on the security bandwagon and is miles ahead of its closed source competitors. Maybe if security folks started amplifying the products that are built on sound security practices then things would get better.

Gunnar

Right, there are a number of cases where open source is ahead, but it is not automatically ahead of closed source in all cases. For example, while MS is hiring every security person they can find, security people are bailing out of PHP for lack of support. Look at how many people work on Apache project? How may work on mod_security and mod_proxy?

LonerVamp

Good post. I think open source has peer review which can "out" issues with the code more quickly. But closed source has more economic incentive to incorporate security.

Stefan's story is felt beyond pro bono open source projects and is part of any security team's experience in the corporate space. Trying to bake security into a process is largely met with lots of dislike and even hate...until management buys in or an incident pressures the stakeholders or money coffers.

I feel that as long as technology is moving at this rapid clip, trying to get security to catch up is a nearly futile effort. Everyone wants features and functionality, not "limiting" security. Security is best adopted with established technology and operations and processes. In the end, almost everyone would rather get something done, than jeopardize getting it done but with security added in. :(

I posted more thoughts a few days ago on Open Source in my link.

PHP Developer

"The people involved are too poisonous and arrogant to change, therefore PHP will not change and become safe."

This statement is by Andrew van der Stock of OWASP, not Stefan Esser. The poisonous, arrogant attitude he is referring to is Stefan Esser's.

Stefan's departure from PHP is a good thing, and his public reasons for unsubscribing from [email protected] are dishonest.

You did get one thing right. This isn't the first time we have seen this, but now that Stefan is gone, hopefully it's the last.

Sam

I have to agree with the anonymous PHP developer, Gunnar: Stefan Esser has a history of being profoundly negative, hostile, and self-aggrandizing, so I am not surprised to see him pack up and take his marbles home. He has made spot-on observations and technical criticism of PHP security flaws, but I find that I have to run everything he writes through a "remove Stefan's vitriol" filter.

That said, I do agree that PHP needs a security architecture (I'm not sure what happened to Andrew's proposal; I'll have to ask him). Ease of entry for unskilled programmers is not completely to blame for PHP's security woes. (Likewise, a security architecture such as you find in Java or .NET is not nearly enough for developers to write secure software.) It's also clear that, as you have written before, the open source world is not keeping pace with changes in the security world in nearly the same way that Microsoft does. Near the heart of the matter is your question about the role of market and customer relationship in open source. I have no answers right now but would like to explore that further.

Gunnar

Sam: exactly. Customer demands drive a lot of what closed source vendors do. In many cases this involves said vendors developing lots of chrome. Fleeing this chrome is what drives a lot of us to open source.

But customers discover that they rely on their systems and don't like data to disappear or their SSNs broadcast on the web, and so they evolve. They start asking/demanding vendors do a better job with security. Some of the smart vendors like MS listen.

Now open source is not driven as much by this customer-supplier ethos. There ae lots of good things about not being totally customer focused, for one thing it gives way to systems like OpenBSD that can push the envelope on security, but what about general purpose open source like LAMP? They are not dealing with security on the same level as the leading edge closed source vendors and they are not innovating (or even learning from the innovations) like leading edge open source projects. So what drives these projects to improve their security? Microsoft has been hiring every security person they can for years. In open source it is fine to dismiss someone who leaves a project as a jerk, but where is the Plan B for security?

The comments to this entry are closed.