8 lines
1.3 KiB
Plaintext
8 lines
1.3 KiB
Plaintext
Shellshock, Heartbleed, and the Fallacy of False Prominence
|
|
<p>In the wake of the Shellshock bug, I guess I need to repeat in public some things I said at the time of the Heartbleed bug.</p>
|
|
<p>The first thing to notice here is that these bugs were found – and were findable – because of open-source scrutiny.</p>
|
|
<p>There’s a “things seen versus things unseen” fallacy here that gives bugs like Heartbleed and Shellshock false prominence. We don’t know – and can’t know – how many far worse exploits lurk in proprietary code known only to crackers or the NSA.</p>
|
|
<p>What we can project based on other measures of differential defect rates suggests that, however imperfect “many eyeballs” scrutiny is, “few eyeballs” or “no eyeballs” is far worse.</p>
|
|
<p>I’m not handwaving when I say this; we have statistics from places like Coverity that do defect-rate measurements on both open-source and proprietary closed source products, we have academic research like the UMich fuzz papers, we have CVE lists for Internet-exposed programs, we have multiple lines of evidence.</p>
|
|
<p>Everything we know tells us that while open source’s security failures may be conspicuous its successes, though invisible, are far larger.</p>
|