How is Security like Bread Mold?

Did you know that for quite a long time, individuals believed that living creatures could just magically appear out of thin air? It’s true. Up until the middle ages, folks believed that things like mold, maggots (ewww), and mice would just “pop” into existance from other substances like rotting meat and old bread. The theory was called Spontaneous Generation, and if you think about it, it makes sense: you put a piece of bread out on the table and watch it for a while. Magically, the bread “turns to mold”. Amazing. Mystical, even. Nowadays we know that there is more going on behind the scenes that accounts for the mold, but they didn’t know that then.

So where am I going with this? I was reading with interest Klocwork’s analysis of Firefox over at their blog (always interesting reading, by the way.) The background story is that Klocwork ran their source-code analysis tool on Firefox and found a bunch of (potential) programming issues. Now, of course there was a bunch of static in the comments from individuals on both sides of the “are these really issues” side of the fence, and I don’t really have an opinion on that one way or the other. However, it was one of the comments that really got me thinking. Here’s the comment, from an individual going by “clover”:

Actually I do find Firefox to be more secure than IE. Since it’s open source it is easier to audit because you don’t have to reverse engineer it. So far the Mozilla team has been good about fixing vulnerabilies as they arise, compared to Microsoft’s speed in handling these issues…

So that’s the traditional wisdom, right? Open source is easier to audit, ergo it is less likely to have vulnerabilities. But as we know, just because something is a widely held belief (like spontaneous generation) doesn’t mean it’s true; after all, if nobody re-evaluated the assumptions about where bread mold comes from, we’d still all think that it appeared by magic. So is this traditional wisdom true? For a long time, I thought it was. But now I’m starting to reconsider.

Why am I reconsidering this basic premise? Because I have yet to come across anybody except vendors like Klocwork (and to be fair Coverity and others) as well as the occassional researcher (HD Moore comes to mind) who actually do any auditing… No, it’s true: I’ve worked in a broad cross-section of the industry and I can say with experience that I have yet to find anybody who’s doing this seriously: the feds aren’t doing it, industry isn’t doing it, academia isn’t doing it. Who is? Researchers? Researchers only audit code to the extent that it gets them props (trust me, I speak as an ex-researcher) – and the biggest props correspond to the most popular software. So researchers aren’t necessarily auditing open source tools more. So where is all this auditing happening?

Look, if I use an open-source product like Firefox (which I happen to use by the way – because I like tabbed browsing, not for any security reason) instead of IE, does that mean I’m more secure? Maybe, maybe not. What about if I use an open-source browser that’s less popular like Konqueror? Does the fact that it’s open source de facto mean that more people have audited the code just because they have the ability to do so? I think if we think about it logically that we’d have to say “no”. Now I’m not saying that Firefox isn’t more secure than IE (or vice versa by the way), but I am saying that the statement that it’s more secure because it’s open source needs some more justification than a perceived increase in eyes on the code…