Computing Applications Forum


  1. See Past Self-Proclaimed Experts' Open-Source Security Evaluations
  2. Author

In their article "Increased Security Through Open Source" (Jan. 2007), Jaap-Henk Hoepman and Bart Jacobs claimed that open source software will be more secure than closed source. For average users, however, the situation will be the same. They’ll still have to trust some other party to rate the security of the software they use. Whether that party is the vendor, a reviewer, a security analyst, or some open source organization will ultimately determine how much trust a user places in the rating. It is exceedingly unlikely that I would take the time to personally evaluate the security of every piece of software I use, even though I’m reasonably competent at performing such an evaluation.

As an analogy, professional locksmiths work with a standard rating scale to predict how much time a skilled thief with tools would need to break into a particular safe. If I trust the rating scheme, I don’t need to know how the safe works to determine whether I should trust it with my valuables. I don’t want to have to be an expert on safes and locks before buying or using a safe or lock; I want an independent rating.

The analogy to medicine (a self-proclaimed "doctor") is slightly flawed. A better analogy would be if all doctors would publish their full medical school transcripts, with course descriptions, grades, teacher evaluations, and internships, along with the histories of all their patients, including the accuracy of diagnoses and medical treatments. This would allow you (the user/patient) to personally evaluate whether to trust a particular doctor to treat you, much like open source allows users to evaluate whether they should trust some piece of software. Instead, we place our trust in the doctors’ medical training, along with a variety of professional licensing organizations.

Open source security (for most users) means nothing more than a self-proclaimed expert evaluating whether a particular mechanism or piece of software is better than others and recommending which one to use. Even Hoepman and Jacobs admitted "such evaluations are rare (because they are expensive)" and "apply only to a specific version of the software" yet claimed "open source enables users to evaluate the security by themselves or to hire a party of their choice" to do the evaluation.

Reconciling how open source enables better security is difficult without having to pay the same costs of evaluation we already pay today. The argument that security will be improved is unprovable, and immaterial, unless you convince enough people to trust your ratings over someone else’s.

With this in mind, I would also like to see some kind of commentary or response from Jason Kitcat whose "Source Availability and E-Voting: An Advocate Recants” (Oct. 2004) argued that the potential benefits of open source software in e-voting systems do not address the problems or outweigh the risks of adding technology to the voting process in all forms of e-voting.

Michael Wolfe
Hillsboro, OR

Back to Top

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More