“The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.”
–CIO David Wennergren, Department of Defense (October 2009)
Summary: VeraCode argues that Free software is superior from the point of view of security
THE Register says that “Open source software has comparable security, faster bug fixing, and fewer potential backdoors than commercial software, according to a study on software application vulnerabilities by security firm VeraCode.”
Here is another source speaking about the subject:
Around 58 percent of the applications tested by application security testing service provider Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing. “The degree of failure to meet acceptable standards on first submission is astounding — and this is coming from folks who care enough to submit their software to our [application security testing] services,” says Roger Oberg, senior vice president of marketing for Veracode. “The implication here is that more than half of all applications are susceptible to the kinds of vulnerabilities we saw at Heartland, Google, DoD, and others — these were all application-layer attacks.”[...]
Despite the relatively gloomy picture of developers still missing the mark initially on security, there were some bright spots in the report: Open-source software isn’t as risky as you’d think, and financial services organizations and government agencies tend to have more secure applications from the get-go; more than half of their apps passed as acceptable in the first submission to testing, according to Veracode’s report.
Someone mailed us a pointer to this article last night.
Start-up Israeli security company Trusteer claims to have hit on a different tactic when it comes to combating financial malware and making activities such as online banking more secure.Rather than trying to eliminate every nasty from a user’s desktop, the four year-old company claims its Rapport software establishes a secure link between a customer’s desktop and the bank’s systems, excluding any malware in the process. The approach has been greeted with enthusiasm by analysts with a recent report from Frost and Sullivan neatly distilling the problem and Trusteer’s response to it.
“This is old news,” says one of our readers who comments on “how to combat malware”.
“Some time ago I suggested putting the VPN and IP stack on an embedded device. If they can’t write to it, then they can’t hack it. And seeing as Rapport is just another Windows process it’s just as vulnerable as any other prog.” █
“Thanks to Mr. Gates, we now know that an open Internet with protocols anyone can implement is communism; it was set up by that famous communist agent, the US Department of Defense.”
–Richard Stallman
