The widespread use of vulnerable or buggy third party code is serious problem facing public and private sector organizations, alike. Just this week, for example, The Wall Street Journal reported that an independent audit of Healthcare.gov, the star-crossed Federal Government website that is the primary health exchange in more than 30 states, is choking on poorly integrated or extraneous code that “served no purpose they could identify.”
But what happens when the third-party code in question is open source code? Things get more complex. For one thing: open source is the salt and pepper of the software world: a common ingredient in applications of all sorts. And, as security researchers have noted: many of the so-called “smart devices” that are populating the physical world run variants of Linux, the open source operating system.
But because those source code repositories are managed cooperatively and collectively by volunteers, security often takes a back seat to feature development and integration work. Open source ends up suffering from a variation of the economic principle of the “tragedy of the commons.” In other words, the more it is used, the more depleted it becomes, as each user takes what they need, but fails to give back – managing the resource for the betterment of the entire community.
Now Google has a (partial) fix: using its cash hoard to provide incentives for engineers to improve the security of common open source components including OpenSSH and OpenSSL. This week, I wrote about the new program over on Veracode’s blog. Check it out!
It will be really interesting to see what outside developers find in Google’s open source code. Are there that many bugs that Google wants to find and resolve or is this an attempt to better connect with the OSS community at large?