this post was submitted on 04 Feb 2022
15 points (85.7% liked)

Security

5005 readers
2 users here now

Confidentiality Integrity Availability

founded 4 years ago
MODERATORS
 

I find people who agree with me for the wrong reasons to be more problematic than people who simply disagree with me. After writing a lot about why free software is important, I needed to clarify that there are good and bad reasons for supporting it.

You can audit the security of proprietary software quite thoroughly; source code isn't a necessary or sufficient precondition for a particular software implementation to be considered secure.

you are viewing a single comment's thread
view the rest of the comments
[–] X_Cli@lemmy.ml 8 points 2 years ago (2 children)

Good article. Thank you. You make some excellent points.

I agree that source access is not sufficient to get a secure software and that the many-eyes argument is often wrong. However, I am convinced that transparency is a requirement for secure software. As a consequence, I disagree with some points and especially that one:

It is certainly possible to notice a vulnerability in source code. Excluding low-hanging fruit, it’s just not the main way they’re found nowadays.

In my experience as a developer, the vast majority of vulnerabilities are caught by linters, source code static analysis, source-wise fuzzers and peer reviews. What is caught by blackbox (dynamic, static, and negative) testing, and scanners is the remaining bugs/vulnerabilities that were not caught during the development process. When using a closed source software, you have no idea if the developers did use these tools (software and internal validation) and so yeah: you may get excellent results with the blackbox testing. But that may just be the sign that they did not accomplish their due diligence during the development phase.

As an ex-pentester, I can assure you that having a blackbox security tools returning no findings is not a sign that the software is secure at all. Those may fail to spot a flawed logic leading to a disaster, for instance.

And yeah, I agree that static analysis has its limits, and that running the damn code is necessarry because UT, integrations tests and load tests can only get you so far. That's why big companies also do blue/green deployments etc.

But I believe this is not an argument for saying that a closed-source software may be secure if tested that way. Dynamic analysis is just one tool in the defense-in-depth strategy. It is a required one, but certainly not a sufficient one.

Again, great article, but I believe that you may not be paranoid enough 😁 Which might be a good thing for you 😆 Working in security is bad for one's mental health 😂

[–] Seirdy@lemmy.ml 2 points 2 years ago (1 children)

Linters are a great thing I should've mentioned, esp. ones like ShellCheck. The phrase "low-hanging fruit" has been doing a lot of heavy lifting. I should mention that.

I talked a lot about how to determine if software is insecure, but didn't spend enough time describing how to tell if software is secure. The latter typically involves understanding software architecture, which can be done by documenting it and having reverse engineers/pentesters verify those docs' claims.

It's getting late (UTC-0800) so I think I'll edit the article tomorrow morning. Thanks for the feedback.

[–] Seirdy@lemmy.ml 2 points 2 years ago (1 children)

@X_Cli@lemmy.ml I updated the post to add a bit to one of the counter args, with a link to your comment. Here's a diff

[–] X_Cli@lemmy.ml 1 points 2 years ago