On the security of open source software

Information Systems Journal

Volumn 12, Issue 1, 2002, Pages 61-78

  Payne, Christian ^a  

^a MURDOCH UNIVERSITY   (Australia)

Author keywords

Code review; Computer security; Open source software; Proprietary software; Security vulnerabilities

Indexed keywords

OPEN SOURCE SOFTWARE;

COMPUTER SYSTEM FIREWALLS; INTERNET; SECURITY OF DATA;

COMPUTER SOFTWARE;

EID: 0036116939     PISSN: 13501917     EISSN: None     Source Type: Journal    
DOI: 10.1046/j.1365-2575.2002.00118.x     Document Type: Article

References (29)

1. CERT Advisory CA-2001-01 Interbase Server Contains Compiled in Back Door Account (2001). http://www.cert.org/advisories/CA-2001-01.html
2. Chowdhry, P. (1999) Open source meets the 'Baywatch' factor, http://www.zdnet.com/eweek/stories/general/O, 11011,2352305.00.html.
3. DiBona, C., Ockman, S. & Stone, M. (eds) (1999) Open Sources: Voices from the Open Source Revolution. O'Reilly & Associates, Sebastapol, California.
4. Friedrichs, O. (2000) Secure programming. http://www.securityfocus.com/forums/secprog/secure-programming.html. Version 1.00.
5. Garfinkel, S. (1999) Open source: how secure? http:/www.wideopen.com/story/101.html.
6. Garfinkel, S. & Spafford, E. (1996) Practical Unix and Internet Security, 2nd edn. O'Reilly & Associates, Sebastapol, California.
7. Gross, G. (2000) Panel: open source security needs to be a priority. http://www.newsforge.com/article.p1?sid=00/ 10/17/1830254.
8. Lettice, J. (2001) German armed forces ban MS software, citing NSA snooping http://www.theregister.co.uk/ content/4/17679.html.
9. Levy, E. (1996) Smashing the stack for fun and profit. Phrack 49.
10. Levy, E. (2000) Wide open source. http://www.securityfo cus.com/commentary/19.
11. McAllister, N. (2001) The spy who hacked me: will open source be the hero of international security. http://www.sfgate.com/cgibin/artlcle.cgi?file=/technol ogy/archive/2001/03/15/china.dtl.
12. Moody, G. (1997) The greatest OS that (n)ever was. http://www.wired.com/wired/5.08/linux_pr.html.
13. Netcraft Web Server Survey (2001) http://www.netcraft. com/survey/.
14. Neuman, B. C. & Ts'o, T. (1994) Kerberos: An authentication service for computer networks. IEEE Communications 32(9): 33-38.
15. Norin, L. & Stöckel, F. (1998) Open-source software development methodology, http://www.ludd.luth.se/users/no/ mssc_abstract.html.
16. NSA Security-Enhanced Linux (2000) http://www.nsa. gov/selinux/.
17. Payne, C. (1999) Security through design as a paradigm for systems development. Murdoch University, Perth, Western Australia.
18. Payne, C. (2000) The role of the development process In operating system security. In: Information Security: Third International Workshop, ISW 2000, Vol. 1975 of Lecture Notes in Computer Science. Pieprzyk, J., Okamoto, E. & Seberry, J. (eds), pp. 277-291 Springer, Germany.
19. Pfleeger, C. (1997) Security in Computing. Prentice-Hall, Upper Saddle River, New Jersey.
20. Raymond, E. (2000) The Cathedral and the Bazaar. http://www.tuxedo.org/esr/writings/cathedral-bazaar/.
21. Russell, D. & Gangemi Sr., G. (1992) Computer Security Basics. O'Reilly & Associates, USA.
22. Schneier, B. (2000a) Closing the window of exposure: reflections on the future of security. http://www. securityfocus.com/templates/-forum_message.html? forum=2&head=3384&id=3384.
23. Schneier, B. (2000b) Full disclosure and the window of exposure. Crypto-Gram. http://www.counterpare.com/ crypto-gram-0009.html#1.
24. Simpson, S. (1999) POP DH vs RSA FAQ. http://www.scramdisk.clara.net/pgpfaq.html.
25. SSH1 Session Key Retrieval Vulnerability (2001) http://www.securityfoous.com/vdb/bottom.html?vld= 2344.
26. Thompson, K. (1984) Reflections on trusting trust. Communications of the ACM, 27.
27. U.S. Department of Defence (DOD) (1985) Trusted computer system evaluation criteria. DOD 5200.28-STD.
28. Viega, J. (2000) The myth of open source security, http: developer.earthweb.com/journal/teohfocus/052600_seo urity.html.
29. Ylönen, T. (1996) SSH - secure login connections over the Internet. Proceedings of the 6th USENIX UNIX Security Symposium.