alphaspirit - Fotolia

Can a decentralized open source community properly address security?

SearchSecurity talks with UC Berkeley Professor Steven Weber about the open source community, the security challenges facing it and the prospect of software liability.

A decentralized open source community can produce a bevy of valuable software, but can it contend with the pressing security issues of today?

Steven Weber, a professor at the University of California, Berkeley School of Information and director of the university's Center for Long-Term Cybersecurity, believes that while there are some disadvantages to open source software, the underlying communities are often well-supported and structured enough to compete on security with their commercial counterparts.

Weber first began his career in political science, where he studied decentralized organizations. He later applied those studies to the internet and open source software, and he authored the 2004 book The Success of Open Source. In it, he describes Open Source software as a political economy with similar standards, practices and support systems as those that exist in the commercial software world.

But can the open source community stay on top of growing information security demands by relying on a collection of disparate, unpaid volunteers? SearchSecurity asked Weber about the state of open source software, how it compares to the commercial software market on security and the role of software liability in that comparison.

Steven Weber: In political science, the problem that interested me in the international relations world was the big meta-problem of decentralized, non-hierarchical, large-scale cooperation. In other words, you have this big international system and you have a lot of countries that can't enforce agreements on each other. How do they ever engage in any sort of long-term cooperative endeavors?

In the mid-90s, I applied that to the internet, and then open source software. It was right around the time that Linus [Torvalds] wrote the original Linux kernel. The problem we were trying to solve was, how do we actually maintain this community over time on an ongoing basis without hierarchical authority?

And that's a problem that I sort of know about in a different world. I started meeting the people who were doing that work at that time, and they were some of the most interesting, eccentric and committed engineers you could possibly imagine.

I don't think the open source community itself was really at fault for this, but once open source software became the thing for a while in the mid-2000s, it was supposed to be the silver bullet. You had people parroting that phrase -- silver bullet -- too [because of the costs savings and flexibility of open source].

From a security perspective, there were a bunch of efforts at that time to actually quantify what was going on with bug identification. It was pretty hard to tell because the baselines weren't there. You can write good software in proprietary worlds and you can write good software in open source worlds, but I think the engineers sort of voted with their feet on that to a certain degree.

There's strong support for open source across the industry. You'd probably be hard pressed to find a top engineer at Google who doesn't want to be running open source code. Another example is [that] the release of many of the data science tools in open source format is almost the default way to do things now.

It's hard to say whether there is more interest and attention paid to open source security today. If you fundamentally believe that the way to get people to invest in security is to create legal liability for software -- and there are people who believe that -- then you probably have to conclude that you'd be better off having proprietary software that belongs explicitly and exclusively to a firm, [and not] to just the open source community.

But when people roll out that argument about the silver bullet being software liability, I come back with the view that if that were actually the case, then some [commercial] firms would be doing better on security. Open source people are so embedded inside the firms that those two things -- [proprietary and open source software] -- are kind of meshed with each other now.

So there's a large, active open source community that supports the software. But it's still the case that very old software that's unattached to an organization and that nobody's paying attention to is going to have the asymmetric attention of cybercriminals. 

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing