Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Servers

    Open Software, Secure Software

    Written by

    Steven J. Vaughan-Nichols
    Published February 25, 2004
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Fifty-plus years ago Grace Hopper used her experiences with programming the UNIVAC with FLOW-MATIC (an open-source project) to write her first compiler paper and the modern era of computing programming began. Some would also say that things havent improved much since her day.

      Indeed, the National Institute of Standards and Technology (NIST) estimated that in 2001 $59.5 billion annually, about 0.6 percent of the gross domestic product was being lost because of software bugs. The Sustainable Computing Consortium (SCC), an academic, government and business initiative to drive IT improvements estimates thats on the low side. Its estimate is that defective computer systems cost U.S. companies alone over $200 billion annually. Yow!

      Hardily a week goes by that we dont report a major software bug or security hole at eWEEK.com. As Gregory Tassey, the senior economist in charge of the NIST report says, “Software is at the extreme end in terms of errors or bugs that are in typical products when they are sold.”

      Jim Laruf, senior researcher at Microsoft Research, agrees, “Weve been writing software for about 50 years and we still produce software with a high numbers of bugs. Our tools have gotten better but the quality of our code doesnt reflect this.”

      The general rule of thumb is that it takes $10 to fix the bug during development; $100 to fix the bug in QA; a $1,000 to fix the bug during beta testing; and $10,000 or more to fix the bug post-deployment.

      Why do we waste so much time and money?

      Jim Johnson, chairman of the Standish Group, an IT investment-planning group, says its because, “Microsoft taught us we can get away with sloppy code. And, from the mid -90s to early 2000s, most programming was sloppy. Now theres a push back for better quality software both from fed-up end-users and from the sheer costs of bugs.” All too often, programs are written in a hurry to hit unrealistic deadlines and bug-fixes are accepted as a natural part of the post-release process.

      I wouldnt say it was Microsoft though, Id say it was combination of the factors that Johnson mentions and proprietary software.

      My esteemed colleague Larry Seltzer disagrees. In his latest column, he comments, “Open source doesnt make code secure, nor does closing source make it insecure.” To me, the bottom line is that the more eyes there are on the code, the better the chances are someone is going to catch a mistake. And, with open source you do get more, and whats more important: better eyes on the code.

      /zimages/3/28571.gifCheck out eWEEK.coms Linux & Open Source Center at linux.eweek.com for the latest open-source news, reviews and analysis.

      No one may get paid for it, nor will their performance evaluation necessarily be effected, but as Eric Raymond points out in his classic The Cathedral and the Bazaar those factors may not be motivating open-source programmers. Instead, theyre motivated by a search for excellence and peer recognition. As Raymond says, the open “style greatly accelerates debugging and code evolution.”

      Why? Raymond explains, “One key to understanding is to realize exactly why it is that the kind of bug report non-source-aware users normally turn in tends not to be very useful. Non-source-aware users tend to report only surface symptoms; they take their environment for granted, so they (a) omit critical background data, and (b) seldom include a reliable recipe for reproducing the bug.”

      “The underlying problem here is a mismatch between the testers and the developers mental models of the program; the tester, on the outside looking in, and the developer on the inside looking out. In closed-source development theyre both stuck in these roles, and tend to talk past each other and find each other deeply frustrating.”

      “Open-source development breaks this bind, making it far easier for tester and developer to develop a shared representation grounded in the actual source code and to communicate effectively about it.”

      No beta test for a proprietary program can duplicate that experience.

      Now, this doesnt work, however, for all open-source projects. For example, if an open-source project has only a handful of user/developers, there simply arent enough eyes to make a real difference to the final project. But, for popular open-source programs, such as Linux, Apache or Samba, open source ensures that the overall code quality will be better.

      The real problem with programming for security, open source or closed source, is as Seltzer observes, darn hard to accomplish. In all the programming projects, I know of, with the exception of the open-source OpenBSD operating system, functionality and speed come first with security a distant second.

      Thus, while open source doesnt necessarily make code more secure, it does promote the rapid evolution of better code. And this in turn, from where I sit, means popular open-source programs are inherently more likely to be secure than their proprietary cousins.

      eWEEK.com Linux & Open Source Center Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late 80s and thinks he may just have learned something about them along the way.

      Be sure to add our eWEEK.com Linux feed to your RSS newsreader:
      /zimages/3/19420.gifhttp://rssnewsapps.ziffdavis.com/eweeklinux.xml

      Steven J. Vaughan-Nichols
      Steven J. Vaughan-Nichols
      I'm editor-at-large for Ziff Davis Enterprise. That's a fancy title that means I write about whatever topic strikes my fancy or needs written about across the Ziff Davis Enterprise family of publications. You'll find most of my stories in Linux-Watch, DesktopLinux and eWEEK. Prior to becoming a technology journalist, I worked at NASA and the Department of Defense on numerous major technological projects.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×