Open is Not Necessarily More Secure

Researchers found a bug in glibc. This library has been around for a long time, used in lots, and lots of software. I’m sure there are some programmers unaware that they coded in software that itself used glibc. However, despite all the people that must have looked at this library over the years, no one noticed the bug and disclosed it.

The maintainers missed the bug, though they took quite some time to patch code once they were aware. That’s disconcerting, especially because many of the routers we use are potentially vulnerable. What’s worse is that many of the consumer based router firmware likely won’t be upgraded as companies would prefer you to purchase a new router rather than actually patch their existing products.

I wouldn’t be surprised if someone found the bug and didn’t notify anyone publicly. Perhaps they decided to use this bug to attack software with some criminal purpose in mind. What might be scary is that I am sure that criminal organizations, or even various governments, might actively look for issues such as these and take advantage of them.

I’m glad the issue was found and it can be patched. Certainly having code open for viewing means that researchers and organizations can examine the code, looking for issues. However the fact that software is open doesn’t mean it is more secure. Security depends on careful examination of all code, which may or may not be the case for plenty of FOSS software. I’m not implying FOSS is better or worse than closed source, vendor written software. Just be aware that you can’t assume it’s more secure.

Steve Jones

The Voice of the DBA Podcast

Listen to the MP3 Audio ( 2.8MB) podcast or subscribe to the feed at iTunes and LibSyn.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged . Bookmark the permalink.