
Security of Software, Distribution Models: It's Not Just Open vs. Closed (2014) - nickpsecurity
https://pastebin.com/EZQWbwCB
======
nickpsecurity
A prior work on this was Spafford’s “Proprietary vs Open Source” in 2006 [1].
The SCOMP and GEMSOS systems he references are described here [2]. SCOMP was
first system certified under TCSEC A1 class [3] in 1985 after five years of
analysis and pentesting by NSA evaluators. I think they spent two years on
GEMSOS at cost of $50 million they said. Obviously, most security-focused FOSS
has had nowhere near that amount of review. There’s also never been (that I'm
aware) a high-assurance, secure system done under FOSS development model: FOSS
examples were cathedral-style developments by experts FOSS’d either as they
went or after the fact.

This difference between the high potential of FOSS for security vs fact that
all strongest systems came from private sector led me to investigate whether
the models could be combined. Also, what impact if any did sharing source with
everyone have on security? Almost none I found given a strong development and
review process will leave almost no defects in system to begin with. The
people building or reviewing, esp their skill or time allotted, were the
crucial aspect in determining system security. This is also why some of us
almost reflexively trust security of code produced by certain people or teams:
their mindset, skill, and efforts regularly result in systems or code that
does what they claim. Next one probably will, too. Probably. ;)

[1]
[http://spaf.cerias.purdue.edu/openvsclosed.html](http://spaf.cerias.purdue.edu/openvsclosed.html)

[2]
[http://www.cse.psu.edu/~trj1/cse443-s12/docs/ch6.pdf](http://www.cse.psu.edu/~trj1/cse443-s12/docs/ch6.pdf)

[3]
[https://en.wikipedia.org/wiki/Trusted_Computer_System_Evalua...](https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria)

