Assessing the importance of open-source software development from a cyber-security perspective

从网络安全角度评估开源软件开发的重要性

• 批准号: 2888123
• 金额: --
• 依托单位: University of Nottingham
• 依托单位国家: 英国
• 项目类别: Studentship
• 财政年份: 2023
• 资助国家: 英国
• 起止时间: 2023 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=studentship-2888123
• 关键词: Assessing; importance; open; source; software

From a cyber-security perspective, closed-source software development projects are seen assomewhat more concerning than projects that publish their source-code (in other words, open-sourceprojects). This is primarily due to the major advantages that open-source software can provide froma security perspective. Having access to the codebase as a member of the public allows the contentsof the software to be verified. Bugs and vulnerabilities can easily be identified, and patches can besuggested to the developers of the software, thereby preventing their use under maliciouscircumstances. Closed-source software cannot provide the same advantages, as members of thepublic are not able to examine the source-code and suggest changes. Also, if a malicious user were toidentify a vulnerability, they may be able to use it to their advantage for a significant amount of timebefore being detected (and in some cases, may never be detected at all). Weiss and Bailetti [1] arguethis point further, stating that the use and development of open-source solutions can help to ensurethat the knowledge of any vulnerabilities are shared between different organisations, preventingfurther incidents.My project would firstly involve attempting to further prove this concept, by showing that variousclosed-source software solutions and implementations do, in fact, contain features that were notnecessarily advertised by their developers (which in some cases may be vulnerabilities themselves, orlead to the discovery of vulnerabilities). I believe that it would be valuable to show this in manydifferent scenarios, so an attempt would be made to carry out this work on a more modern system toshow that this is still a current issue, as well as an older system to prove that the problem has existedfor quite a while. In short, the project's primary aim would be to determine the main advantages ofopen-source software from a cyber-security perspective.

从网络安全的角度来看，闭源软件开发项目比发布源代码的项目（换句话说，开源项目）更令人担忧。这主要是由于开源软件从安全角度来看可以提供的主要优势。作为公众成员访问代码库可以验证软件的内容。可以轻松识别错误和漏洞，并向软件开发人员建议补丁，从而防止在恶意情况下使用它们。闭源软件无法提供相同的优势，因为公众无法检查源代码并提出更改建议。此外，如果恶意用户要识别漏洞，他们可能会在被检测到之前的很长一段时间内利用它来发挥自己的优势（在某些情况下，可能根本不会被检测到）。 Weiss 和 Bailetti [1] 进一步论证了这一点，指出开源解决方案的使用和开发有助于确保不同组织之间共享任何漏洞的知识，从而防止进一步的事件。我的项目首先将尝试进一步证明这一概念，通过表明各种闭源软件解决方案和实现实际上包含开发人员不一定宣传的功能（在某些情况下可能会） 是漏洞本身，或者导致漏洞的发现）。我相信在许多不同的场景中展示这一点是有价值的，因此将尝试在更现代的系统上进行这项工作，以表明这仍然是一个当前的问题，以及在较旧的系统上证明该问题已经存在相当长一段时间了。简而言之，该项目的主要目标是从网络安全的角度确定开源软件的主要优势。