Reading this article at wired.com, there is a point that seems really good for me. There is a real need to change how code security audits are done, in order to catch bugs like like Shellshock a lot faster.
Yet, I disagree with the tenant that the Linus's Law is a lie, since having more eye balls looking for bugs makes catching them more likely in a faster way. What happens with some project, as the article correctly points out, is that they just don't have enough people working on them to catch bugs as fast and effectively as possible. Which in core projects can be quite a big problem, since the impact of those bugs on security can be quite big and dangerous for users.
This is why there is a urgent need to change how code audits are carried out, and a need to make software open so we have as many people as possible looking at the code. In a sense, what we need is to have better auditing tools being used as widely as possible to make code both better and with much less bugs.
Open source software will always be intrinsically more secure than proprietary software because the number of developers looking into the code. What it's needed, is to give those core projects the resources to get more developers on board and the audit tools needed to make their code as free of bugs as possible.
That's the only way Linus's Law will really be as effective as we needed to be, making bugs as shallow as possible.
No comments:
Post a Comment