If you google the phrase "open source security", you'll find plenty of articles which debunk the "myth" of open source security, fuel the debate of Linus' law vs. security through obscurity, or argue which type of software, proprietary or open source, is more secure. Yet, the question "which type of software is more secure?" is impossible to answer. Software security is highly dependent upon many variables: the programming language used, the practices implemented by the individual programmers, the processes imposed by the specific organization overseeing the programmers, and the configuration of the software by a particular end-user.
This issue of the OSBR examines several facets of open source security. Jake Kouns from the Open Security Foundation introduces an open source project which manages a global collection of vulnerabilities, available for free use by the information security community. David Maxwell from the Coverity Scan project discusses their report on code defect trends from an analysis of several hundred open source projects, representing 55 million lines of code, through 14,000 build sessions over a two year period.
Security research is led by the Government of Canada and Canadian universities. Robert Charpentier from Defence Research Establishment Valcartier and Mourad Debbabi, Azzam Mourad, and Marc-Andre Laverdière of Concordia University present key concepts related to security hardening and their applicability to the C programming language. Frederic Michaud and Frederic Painchaud from Defence Research and Development Canada discuss the results and recommendations from their analysis of automatic source code verifiers that search for program sanity and security bugs.
In addition to the articles, Michael Geist, Canada Research Chair of Internet and E-commerce Law, discusses Bill C-61, which will amend the Canadian Copyright Act, and suggests actions for those who disagree with the proposed legislation. Alan Morewood from the security division of Bell Canada provides an example of a business reason for using open source to assess an organization's security risk. This month's conference report covers trends in technology marketing and how to build successful communities.
As always, we look forward to your feedback. In particular, we're interested in your suggestions for editorial themes beyond the September issue. If you have a topic you would like to see discussed, send an email to the editor.