How Closely is Open-Source Code Examined?

The common wisdom assumes that open-source products get reviewed more often and with more quality. After all, the source code is open for everyone to see, so it must be getting reviewed, right? And closed source is closed, so it's not getting reviewed, ri

The usually simmering open source vs. closed source debate boiled over recently following the leak of Windows source code on the Internet. And it boiled over here too.

Some 95 percent of the response to my column on the Windows source code leak and what it might indicate about the value of closed-source code as a security technique said that I didnt get the point: Since open source is open, it gets a better code review. Anyone can get the source, look at it and find problems in it.

Inherent in this argument is the assumption that closed-source projects dont get code reviews, or at least that they get inferior ones. Im not so sure this is true. In fact, theres no reason to believe that closed-source companies cant do a good code review, and not a lot of reason to assume that open-source projects are getting all the code review that people think they get.


Meanwhile, there isnt any official system for reviewing open-source code for security problems. Its one of those ad hoc, community arrangements.

Unquestionably a lot of checking happens; some from the same consultants who do "black box testing" of Microsoft products, and some from other open-source developers. Recently, however, an attempt to set up a formal organization, called Sardonix, to organize these reviews, essentially failed when funding dried up after nobody showed up to do the reviews.

A SecurityFocus article on the failure hints at the reasons: people dont want to volunteer to do the boring, rote parts of a real security audit. Instead, they want to find scary vulnerabilities and exploits, and then bask in the glory of having found them.

The only contributions to the project came from Berkeley grad students under the direction of a professor. This is actually a great idea for an academic-driven project, but it doesnt give me a warm feeling about the level of experience of the reviewers.

On the other hand, the people at Microsoft who do code reviews are paid to do it. How well they review code is related to their own review and their own compensation.

According to Michael Howard, senior program manager in Microsofts security business and technology unit, if a vulnerability is found in code you wrote or reviewed its going to noticed, and affect your own performance evaluation.

This strikes me as a pretty good incentive to be careful.

Next page: Who Does The Reviews?