Sunday, January 13. 2008
Security Week in Review (2007-12-06)
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Coverity is not serious about improving the state of Open Source. Coverity is serious about getting paid for using their (awesome) tools for auditing Open Source. Which is paid by the US government. Which selected Coverity from a number of contestants, based on how good bang for the buck Coverity can provide.
There's nothing really wrong with the situation there. The tools they are using are improving (they are getting money which they can use for serious development and further innovation by time) anyways and the results are fine (the tools are doing what they should - automatically helping to avoid falling into the traps that are easy enough for a computer to detect). Look at what these commercial tools did to the Linux kernel. When they introduced them the amount of certain types of bugs fell radically and they managed to plug quietly hundreds of critical flaws without anyone outside ever even noticing. Good working example case for obscurity vs security - their security policy using obscurity worked wonders there in real life, and the tools worked magnificently as well saving Linux folks from many embarrassing moments.
Going open source would kill the investments that living in the edge requires, and reduce the quality of their offering in many ways. Not that they are the only possibility. Coverity and their tools are just one of many. You are free to create your own tools if you really feel that unless your zealot views are fulfilled by someone giving out something worth a lot for free just "because" is a must thing and they won't abide. Lol. Sheesh. Jerk.
There's nothing really wrong with the situation there. The tools they are using are improving (they are getting money which they can use for serious development and further innovation by time) anyways and the results are fine (the tools are doing what they should - automatically helping to avoid falling into the traps that are easy enough for a computer to detect). Look at what these commercial tools did to the Linux kernel. When they introduced them the amount of certain types of bugs fell radically and they managed to plug quietly hundreds of critical flaws without anyone outside ever even noticing. Good working example case for obscurity vs security - their security policy using obscurity worked wonders there in real life, and the tools worked magnificently as well saving Linux folks from many embarrassing moments.
Going open source would kill the investments that living in the edge requires, and reduce the quality of their offering in many ways. Not that they are the only possibility. Coverity and their tools are just one of many. You are free to create your own tools if you really feel that unless your zealot views are fulfilled by someone giving out something worth a lot for free just "because" is a must thing and they won't abide. Lol. Sheesh. Jerk.
This isn't really about security by obscurity.
You get an audit using secret methods, but the results are public. You can independently tell if the results are real or not (real bugs or not real bugs).
I don't know a heck of lot about Coverity or software engineering. But Coverity isn't a security system: it's just a tool for finding bugs.
---
Opening the tool up to public scrutiny could only improve it. It certainly cannot make it worse. Whether it would lead to the owner making less money is a question they undoubtedly have asked themselves. As a small company, sometimes it is hard to get maximum value out of your "IP", no matter whether it is open or closed. However, it isn't out of the question that some other company could buy coverity and make it open source. For example, if IBM, say, owned it, it might realize the vast majority of its value simply by using coverity improving their own products, compared to the value gained by selling coverity's services to others as closed or open source. Even considering, arguably, that the value of selling the software to others may be minimized if it were open source, how much value remains depends on how hard coverity is to deploy and use, and how much value can be added to the open source product by properly servicing, teaching, deploying and marketing it. (Should I have to point out that this form of value is significant, and often a greater source of value than just the software itself?) Furthermore, if the tool improved under open source, the value it improving IBM's products may be more than would be gained by keeping the code secret and selling it as service.
By keeping the tool closed source, Coverity runs a lot of risks too. Somebody could make a better tool, and wreck their business. If it were open source, and there isn't a comparable tool, Coverity's tool might expand it's market quicker, and become somewhat standardized, gaining value for the company and it's brand. Another risk is that while Coverity's engineers probably know coverity well, others, of course, don't. That means that Coverity is under great risk of having an unforeseen accident or event severely affecting their business. If it were open, more people would likely know how coverity works intimately, and be available to work for the company.
You get an audit using secret methods, but the results are public. You can independently tell if the results are real or not (real bugs or not real bugs).
I don't know a heck of lot about Coverity or software engineering. But Coverity isn't a security system: it's just a tool for finding bugs.
---
Opening the tool up to public scrutiny could only improve it. It certainly cannot make it worse. Whether it would lead to the owner making less money is a question they undoubtedly have asked themselves. As a small company, sometimes it is hard to get maximum value out of your "IP", no matter whether it is open or closed. However, it isn't out of the question that some other company could buy coverity and make it open source. For example, if IBM, say, owned it, it might realize the vast majority of its value simply by using coverity improving their own products, compared to the value gained by selling coverity's services to others as closed or open source. Even considering, arguably, that the value of selling the software to others may be minimized if it were open source, how much value remains depends on how hard coverity is to deploy and use, and how much value can be added to the open source product by properly servicing, teaching, deploying and marketing it. (Should I have to point out that this form of value is significant, and often a greater source of value than just the software itself?) Furthermore, if the tool improved under open source, the value it improving IBM's products may be more than would be gained by keeping the code secret and selling it as service.
By keeping the tool closed source, Coverity runs a lot of risks too. Somebody could make a better tool, and wreck their business. If it were open source, and there isn't a comparable tool, Coverity's tool might expand it's market quicker, and become somewhat standardized, gaining value for the company and it's brand. Another risk is that while Coverity's engineers probably know coverity well, others, of course, don't. That means that Coverity is under great risk of having an unforeseen accident or event severely affecting their business. If it were open, more people would likely know how coverity works intimately, and be available to work for the company.
Calendar
|
January '09 | |||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
Quicksearch
Categories
Syndicate This Blog
Blog Administration
Powered by
