Commit 4dabf4b1 authored by Gael Blondelle's avatar Gael Blondelle
Browse files

Fix a typo in the security blog post.

Change-Id: I977a29778da67b6cc63f43889a7b20676ac3d3b9
parent 94ea75a0
...@@ -27,7 +27,7 @@ Others have studied the correlation between security and open source in a more s ...@@ -27,7 +27,7 @@ Others have studied the correlation between security and open source in a more s
Security wise, the main concern remains the surface of exposure of software code: all the different points where an unauthorized party could try to inject or extract data. The openness in OSS makes it easier for both the good and the bad guys to find vulnerabilities in the code, since it is available for anyone to review (and to fix!). Security wise, the main concern remains the surface of exposure of software code: all the different points where an unauthorized party could try to inject or extract data. The openness in OSS makes it easier for both the good and the bad guys to find vulnerabilities in the code, since it is available for anyone to review (and to fix!).
However, closed models implementing a **“security through obscurity” approach are not necessarily better**. Security is a holistic concept not only depending on the final result, but also linked to the creation and maintenance process, and **open source has the potential to be better than closed source** software in terms of security vulnerabilities being available for public scrutiny and fixes. But **[simply being open is not a guarantee of security](https://www.securityfocus.com/news/19)**; over the past years a few examples have made this clear for the OSS community: (a) the **[Heartbleed bug](http://heartbleed.com/)**, which put the spotlight on OpenSSL, the security toolkit used by many of the internet's largest sites, maintained primarily by [two men who have never met in person](https://www.buzzfeed.com/chrisstokelwalker/the-internet-is-being-protected-by-two-guys-named-st), (b) the **[Equifax breach](https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/)** that exposed sensitive data for as many as 143 million U.S. consumers, accomplished by exploiting a web application vulnerability that had been [patched more than two months earlier](https://blogs.wsj.com/cio/2018/12/11/the-morning-download-house-equifax-report-cites-faulty-it-structure/), and (c) the **[Apache Struts 2 flaw](https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/)** uncovered recently, which promises to be even more critical than the Equifax Bug, a remote code-execution vulnerability in the popular open-source framework for developing web applications in the Java programming language which could lead to full endpoint and network compromise. However, closed models implementing a **“security through obscurity” approach are not necessarily better**. Security is a holistic concept not only depending on the final result, but also linked to the creation and maintenance process, and **open source has the potential to be better than closed source** software in terms of security vulnerabilities being available for public scrutiny and fixes. But **[simply being open is not a guarantee of security](https://www.securityfocus.com/news/19)**; over the past years a few examples have made this clear for the OSS community: (a) the **[Heartbleed bug](http://heartbleed.com/)**, which put the spotlight on OpenSSL, the security toolkit used by many of the internet's largest sites, maintained primarily by [two men who have never met in person](https://www.buzzfeed.com/chrisstokelwalker/the-internet-is-being-protected-by-two-guys-named-st), (b) the **[Equifax breach](https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/)** that exposed sensitive data for as many as 143 million U.S. consumers, accomplished by exploiting a web application vulnerability that had been [patched more than two months earlier](https://blogs.wsj.com/cio/2018/12/11/the-morning-download-house-equifax-report-cites-faulty-it-structure/), and \(c) the **[Apache Struts 2 flaw](https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/)** uncovered recently, which promises to be even more critical than the Equifax Bug, a remote code-execution vulnerability in the popular open-source framework for developing web applications in the Java programming language which could lead to full endpoint and network compromise.
On the other side, if you need to think about security breaches in proprietary solutions or closed source software, just think about the **Microsoft security breaches that we were never told about**, and you should be good to go, for example: that time when [Microsoft responded quietly](https://www.reuters.com/article/us-microsoft-cyber-insight/exclusive-microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idUSKBN1CM0D0) to a detected secret database hack in 2013. Security in the 21st century has proven to have suffered enough [breaches](https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html) both in the open and closed software worlds. On the other side, if you need to think about security breaches in proprietary solutions or closed source software, just think about the **Microsoft security breaches that we were never told about**, and you should be good to go, for example: that time when [Microsoft responded quietly](https://www.reuters.com/article/us-microsoft-cyber-insight/exclusive-microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idUSKBN1CM0D0) to a detected secret database hack in 2013. Security in the 21st century has proven to have suffered enough [breaches](https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html) both in the open and closed software worlds.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment