8 Linux Security Improvements In 8 Years - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
8 Linux Security Improvements In 8 Years
Newest First  |  Oldest First  |  Threaded View
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/8/2015 | 11:16:06 AM
Re: Open Source is Superior
Asksqn,

This is not meant to be a defense for Propreitary code but don't you feel we have had more than our fair-share of Vulnerabilities in Open Source environments in last year or so[Shellshock,Bash vulnerabilities,etc].

The Big problem that Open Source has is lack of enthusiasts with Financial Staying power.

Even great programs like TOR & Veracrypt have seen cutbacks(or abandonment of Support).

Why is that the case?

Not really surprising.

Everyone wants to use Open Source (and rave about it) but not many folks want to contribute(financially) to it.

I am reminded of the case of that German Developer who was so close to quiting entire Development of something as important as Encryption for Email because he had no Funds to spare(Werner Koch behind GNU Privacy Guard)-www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke

How does one deal with that situation?

This Gentlemen got lucky thanks to that propublica article and he managed to raise the funds he needs to keep the Project going atleast for next 5 years.

What about many other projects which are again manned by just one or two folks?

No easy answers unfortunately.

Atleast the cash-rich companies have funds to throw developers and other resources at their Security Bugs.


Regards

Ashish.

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/8/2015 | 10:54:50 AM
Re: Path to security starts in development
Charlie,

I am not surprised a bit that these are the primary issues discovered in Linux Security Audits.

Why is that?

If one looks at basic software in General and especially Coding Best Practices Lists(from OWASP,SANS,etc) these are all among the Top 10 Vulnerabilities discovered every year.

Guessing that more and more automation in Coding Best Practices will reduce these errors?

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/6/2015 | 11:48:08 AM
Re: More Simple, More Secure
Christian,

Great-Great point!

Kernel bloat has been the topic of many a paper and article and the simple truth is that simplicity lends to security in terms of manageable code.

That is as good a statement as I could have said (and is as simple a fashion as one could put it).


The more complex code becomes the more chances of error creeping in.

This is also why Apple is moving away from Objective C and towards Swift today.

Open source has enormous fans and traction ,just need to keep supporting it going ahead.

Regards

Ashish.

 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
5/8/2015 | 8:41:53 PM
Julia Lawall and other names you don't hear everyday
The Coccinelle scanning tool "is currently maintained mostly by myself and Sebastien Hinderer," writes Julia Lawall, its principal author, "with some contributions from Nicolas Palix, Iago Abal, Chi Pham. Several other people have worked on it at various times over the years."
RetiredUser
100%
0%
RetiredUser,
User Rank: Strategist
5/7/2015 | 4:24:57 AM
More Simple, More Secure
This is a great reminder of not only the importance of integrating solid development practices no matter how mature your project is, but also that open source code (or "free" as in freedom) has benefits far beyond simply being free.  With deep insight into kernel internals, for instance, the entire kernel hacking community have access to code, scanning results, and developer knowledge lending to important security and functional bug fixes.

However, it is also a lesson in bloat.  More and more I'm building my kernel with a stripped down footprint, not only choosing Linux-libre over the mainline code that contains non-free "blobs" which could contain security issues that can't easily be fixed because they are closed source objects, but also longing for a more micro-kernel-like build.  Kernel bloat has been the topic of many a paper and article and the simple truth is that simplicity lends to security in terms of manageable code.

That said, I have watched the development of Linux since the early days (I'm practically a gray-beard) and it is one of the most impressive projects out there, with lots of strong personalities but with a drive to make sure users continue to have a free kernel that give people what they need.

Great article for reminding everyone why we love Linux.

 
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Author
5/6/2015 | 5:24:51 PM
Path to security starts in development
Buffer overflows, integer overflows and format string errors are among the top problems buried in Linux code. "The road to application quality and security starts in development," wrote Zack Samocha, sr. drector of products at Coverity in the  Coverity Security Spotlight Report on Open Source in 2013.
asksqn
100%
0%
asksqn,
User Rank: Ninja
5/6/2015 | 1:27:14 PM
Open Source is Superior
>>Coverity isn't allowed to release the results of its tests of commercial code[...] <<

 

Thereby demonstrating why Open Source will always be superior.  Meanwhile, Oracle/SAP et al. would rather keep its flaws a big "trade" secret rather than fix security bugs.  It's standard operating procedure for commercial vendors to shoot the messenger rather than deal with bugs.  And the consumer gets charged for this "service."  Open Source clearly provides more bang for the buck, and, you can't get any better than FREE.


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll