This article translated, adding from Jeff Atwood's " Given Enough Money, All Bugs Are Shallow ".
Money (costs) and bugs (software bugs) have a very close relationship with each other. Let me list some rules:
The later the Bug is detected, the bigger the repair cost. Sometimes not only proportional to the time that may be the ratio of time squares.
Only a 64-bit floating-point-type floating-point error number overflowed, causing the Ariane 5 rocket to explode a few seconds after leaving the launch pad. Watch the video here . Or the fault of the European scientist working for NASA, when he used to use the metric system to calculate while the American colleagues used the mile system to make the amphibious ship with insufficient energy to send information. believe about the earth.
Eric Raymon once wrote, "Give enough eyeballs, all bugs are shallow" ~ "For many people, every error will be detected". This idea is the foundation of open source software, by making it possible for anyone to view the source code, report bugs, over time the software will be less buggy than code-closing software. The Linux rule also speaks similarly. Basically ok. Code written by 10 programmers in a small company cannot be scrutinized as the source project is open on GitHub.
However, Heartbleed SSL error shows a paradox of this rule. This error is so dangerous and bad that it affects 18% of the entire web using HTTPs in the world. Hackers can sniff (encrypt) SSL encrypted packets as unencrypted for two consecutive years. Yes 2 years in a row! (How many technology secrets, personal information, account numbers and passwords were stolen because of Heartbleed SSL, who can statistics?)
OpenSSL, this error-free library is an open-source library used in most Linux, Unix, MacOSX operating systems … Should it be carefully tested and evaluated when put into use?
In fact, it is difficult to fix most open source software. I know this because I rarely fix open source errors even though I'm a professional programmer. Usually I report back to the author of the code and wait to see how he corrects. ~ Neil Gunton.
Even in the community or reading the source code, it is difficult for them to find deep hidden errors. Because very few of them are security experts ~ Jeremy Zawodny.
The fact that many users (many eyeballs), popping into open source software is not necessarily making it safer. On the contrary, it makes sense for many people to have that software very safe -> Crowd effect ~ John Viega.
I (Jeff Atwood) found some problems with the Linux rule:
- The strip to use is different from the strip to develop modifications. Downloading the RPM package (Ubuntu), compiling the source code on Linux or reporting an error to the author does not mean that you have impacted or actually reviewed and scrutinized the source code. Most open source programmers re-use only look over the API functions, but few people read the source code to run those API functions.
- Copy & Paste is easier and faster than actually taking the time to read – criticizing someone's source code. The more code written, the more libraries and frameworks that are written to compete for functionality, the fewer people who are interested in evaluating their security level.
- The community does not have enough real experts to evaluate the source code. The number of programmers increased, but the depth quality did not increase.
Heart failure blood bleeding (Heartbleed SSL) is a practical example demonstrating these three issues.
More and more companies pay bonuses to the community to find security flaws
Some companies organize their own competitions, some through organizers like BugCrowd, Synack, HackerOne, Crowcurity. Software owners give bonuses to white-hat hackers to find depths and catch mistakes. The harder it is, the more dangerous it is. For example, the Pwn2Own prize amounted to hundreds of thousands of dollars. Today's message: if you want your software to be really safe, high-quality, pay for a dabble expert so they can compete for errors.
Money makes security errors hidden as hostages
When the money comes out to find security errors. Then security experts often close these errors to wait until the prize is big enough to announce. While these experts are at fault for security, the bugs still exist, the black hat hacker still silently exploits it. Do you scare. Another downside of security money use! I (Jeff Atwood) liked how Google created Pwnium:
- The event variable presents an annual security error for daily work.
- Increase the amount of bonuses very high.
Turning to finding security flaws is more of a personal responsibility than a collective
Father General nobody cried. Some people reported some small security bugs on Discourse then quit. Open source is a free donation, but it is too unreasonable to pay people for finding errors. This is how I did: I appreciate the error messages from the community, I thank the error reporters by sending a Sticker, T-shirt, thank them directly via email, registering them in the source code and updating. code corrected.
If you don't pay for errors, is open source still secure?
Big companies with strong finance open prizes to attract bug hunters to find bonuses. So, if the software is low-cost or free, it will still be of concern to bug hunters. A tendency to turn a security error into a hostage in exchange for a bonus is actually slim. I have received solicited emails of this type.
What to do?
Every developer, programmer has the same goal at least: Making the software more stable, safer.
Security award-winning programs are an effective alternative to opening source code for more users, reporting errors faster. I have some tips for award-winning programs of this type:
- Your company should appoint experts to receive error messages from the community or award hunters with a good process to reproduce the clear error.
- Organizing rewarding activities to attract the community to work together to find fault rather than conceal the error and wait for the prize.
- Building a transparent system recognizes the contributions of individuals who find fault
- Encourage large organizations to fund bug hunting for open source projects, not just closed code projects.
ITZone via Techmaster