Hi, I'm Brian Chess, Chief Scientist for Fortify Software,and today I'm going to talk about Open Source Security and why the manyeyeballs theory just doesn't work. Now I'm a big fan of open source, but themany eyeballs theory has some problems. Before I tell you about what thoseproblems are, I've got to explain what the many eyeballs theory is.
So imagine you're a software developer and you put somesoftware out there on the internet. Here's your program. And you expect that alot of people are going to download it and check it out. Now of course, allsoftware has bugs in it. So, you might expect that your software is going tohave some bugs in it, too. Now because you've got all these people who've gotaccess to your source code, they're going to tell you about those bugs andyou're going to be able to find some of them and get rid of them.
So they found some of those bugs and some of those bugs havesecurity implications, so you wipe those out. So does that make your softwaremore secure? Well, some of those bugs are still there, and that means bigsecurity problems. Let me give you an analogy to explain why this theory justdoesn't hold water.
Imagine you've got a park, and you'd like to keep your parkclean. So what are you going to do, ask the litter patrol to come in afterhours and try and clean things up? No, that's not how we keep our parks clean.Instead we put up signs and tell people hey, nobody appreciates litter. We makesure that there are plenty of trash cans around so that people can do the rightthing.
So that's what we need to do with software development, too.We need to educate software developers and make sure that they know how tocreate secure software. We need to give them the right tools, we need to givethem the right programming languages so that they can write secure software.But in the end, we can't rely on people who are using open source software inorder to make sure that the software is secure. We've got to have the developerbe accountable for the software that they create.
