The IT security community has been through a few rocky weeks that have been far worse than usual. The recent vulnerabilities found in the Bourne Again Shell (bash/Shellshock), and in OpenSSL/TLS (Heartbleed and Poodle) have been disconcerting, as they all were found in some of the foundational components of the internet infrastructure based on Unix/Linux –long seen as the most secure and examined platform– all in critical Open Source projects that have been developed and debugged publicly for decades.
Criticism abounds, and some is justified, of course. For example, Roger Grimes from InfoWorld writes here “I’ve always called BS on the idea that the ability for anyone to review open source code means it will always be more secure than closed source software. Even before the latest contrarian example of the Bash Shellshock vulnerability, the idea of ‘many eyes’ was fatally flawed.”
What then to do? Return to closed silos, where developers worked for a proprietary project disconnected from others? While perhaps paid full-time engineers might have caught Shellshock, the fact of the matter is that many engineers, paid full-time for their engineering work, did not discover Shellshock even though bash is part of the systems where their proprietary code works.
The recent tempest caused by these bugs, and undoubtedly many more to come, reminds me of some of the points made by Larry Wall, on perl, and on computer and human languages specifically, but in general about the Open Source community as well. Wall writes of the three great virtues of the Open Source approach: diligence, patience, and humility. Or, as he writes unabashedly in terms of their opposites, “laziness, impatience, and hubris.” Certainly, these vulnerabilities have dented the hubris of many an Open Source evangelist, and have shocked some consumers of Open Source software out of laziness into diligence. And this is all a good thing.
OpenSource has democratized the process of writing software and allows all, from the expert to the newbie, to share in a common body of code and participate in a project of immense power –the internet, and all of the changes and revolutions it has entailed, is impossible to conceive without Open Source. Moreover, the advantages of Open Source go beyond catching bugs. Certainly, large problems exist, and as a community we will have to rediscover diligence and patience. Yet, all of this is a good thing. After all, as Wall writes “there’s more than one way to do it.”
Feature Image, Courtesy of bigdom, freedigitalphotos.net.