Assessing the importance of open-source software development from a cyber-security perspective

从网络安全角度评估开源软件开发的重要性

• 批准号: 2888123
• 金额: --
• 依托单位: University of Nottingham
• 依托单位国家: 英国
• 项目类别: Studentship
• 财政年份: 2023
• 资助国家: 英国
• 起止时间: 2023 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=studentship-2888123
• 关键词: Assessing; importance; open; source; software

From a cyber-security perspective, closed-source software development projects are seen assomewhat more concerning than projects that publish their source-code (in other words, open-sourceprojects). This is primarily due to the major advantages that open-source software can provide froma security perspective. Having access to the codebase as a member of the public allows the contentsof the software to be verified. Bugs and vulnerabilities can easily be identified, and patches can besuggested to the developers of the software, thereby preventing their use under maliciouscircumstances. Closed-source software cannot provide the same advantages, as members of thepublic are not able to examine the source-code and suggest changes. Also, if a malicious user were toidentify a vulnerability, they may be able to use it to their advantage for a significant amount of timebefore being detected (and in some cases, may never be detected at all). Weiss and Bailetti [1] arguethis point further, stating that the use and development of open-source solutions can help to ensurethat the knowledge of any vulnerabilities are shared between different organisations, preventingfurther incidents.My project would firstly involve attempting to further prove this concept, by showing that variousclosed-source software solutions and implementations do, in fact, contain features that were notnecessarily advertised by their developers (which in some cases may be vulnerabilities themselves, orlead to the discovery of vulnerabilities). I believe that it would be valuable to show this in manydifferent scenarios, so an attempt would be made to carry out this work on a more modern system toshow that this is still a current issue, as well as an older system to prove that the problem has existedfor quite a while. In short, the project's primary aim would be to determine the main advantages ofopen-source software from a cyber-security perspective.

从网络安全的角度来看，闭源软件开发项目被视为比发布其源代码的项目（换句话说，开源项目）更令人担忧。这主要是由于开源软件可以从安全角度提供的主要优势。作为公众的一员访问代码库允许验证软件的内容。错误和漏洞可以很容易地被识别，补丁可以被推荐给软件的开发者，从而防止他们在恶意环境下使用。闭源软件不能提供同样的优势，因为公众成员不能检查源代码并提出修改建议。此外，如果恶意用户发现了漏洞，他们可能会在被检测到之前的很长一段时间内利用它（在某些情况下，可能永远不会被检测到）。韦斯和Bailetti [1]进一步阐述了这一点，指出开源解决方案的使用和开发可以帮助确保不同组织之间共享任何漏洞的知识，防止进一步的事件。我的项目将首先涉及试图进一步证明这一概念，通过展示各种闭源软件解决方案和实现，事实上，包含开发人员不一定公布的功能（在某些情况下，这些功能本身可能是漏洞，或导致发现漏洞）。我相信，在许多不同的场景中展示这一点是有价值的，因此将尝试在一个更现代的系统上进行这项工作，以表明这仍然是一个当前的问题，以及一个更老的系统，以证明这个问题已经存在了相当长的一段时间。简而言之，该项目的主要目标是从网络安全的角度确定开源软件的主要优势。