Security guru wants access to bug databases

Cambridge academic Ross Anderson argues that empirical analysis of software bug records will prove whether open source code is more secure than closed source, and show the true value of techniques like peer review and extreme programming
Written by Ingrid Marson, Contributor

Security expert Ross Anderson has called for empirical research to be conducted into whether open source or closed source software is more secure, and into the impact that development practices such as extreme programming (XP) have on code quality.

Anderson, professor of security engineering at Cambridge University, asked software developers at the ACCU conference in Oxford on Wednesday to allow security researchers to access their records of software bugs.

"One of reasons I came here is to ask if you have any interesting databases on bugs," said Anderson. "The sort of questions we're now able to explore are not just whether open or closed [source] systems are more secure, but also on development methodology — how much better is XP, what happens to quality?"

This historical data would allow researchers to track the development of program code and the discovery of bugs. Anderson believes it would provide insights into the impact of XP and peer review on software quality, and the best approach to security patching. In XP, two developers work together and alternate between writing code and offering feedback on its design and accuracy.

Anderson said that empirical research, similar to the randomised controlled trials used in medicine, is more useful than theoretical research on software development.

"Computer science theory doesn't help solve the really hard problems," said Anderson. "Software is now big enough that we can start using statistical methods to measure outcomes."

One of Anderson's research students, Andy Ozment, has already done research using empirical data on bugs found in the open source operating system OpenBSD between 1997 and 2000. This research found that finding and fixing bugs results in a more secure product, contradicting research by security expert Eric Rescorla. Rescorla argued there is little value to finding security bugs — as many people are slow to patch their systems, and software patches can actually help hackers by drawing their attention to security holes in software.

Companies can be reluctant to make their code and bug databases available to researchers, but Anderson told ZDNet UK there are ways to overcome this. "A research student can analyse data under an NDA and we can negotiate what data can be released publicly," said Anderson.

Editorial standards