Assessing the importance of open-source software development from a cyber-security perspective

从网络安全角度评估开源软件开发的重要性

• 批准号: 2888123
• 金额: --
• 依托单位: University of Nottingham
• 依托单位国家: 英国
• 项目类别: Studentship
• 财政年份: 2023
• 资助国家: 英国
• 起止时间: 2023 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=studentship-2888123
• 关键词: Assessing; importance; open; source; software

From a cyber-security perspective, closed-source software development projects are seen assomewhat more concerning than projects that publish their source-code (in other words, open-sourceprojects). This is primarily due to the major advantages that open-source software can provide froma security perspective. Having access to the codebase as a member of the public allows the contentsof the software to be verified. Bugs and vulnerabilities can easily be identified, and patches can besuggested to the developers of the software, thereby preventing their use under maliciouscircumstances. Closed-source software cannot provide the same advantages, as members of thepublic are not able to examine the source-code and suggest changes. Also, if a malicious user were toidentify a vulnerability, they may be able to use it to their advantage for a significant amount of timebefore being detected (and in some cases, may never be detected at all). Weiss and Bailetti [1] arguethis point further, stating that the use and development of open-source solutions can help to ensurethat the knowledge of any vulnerabilities are shared between different organisations, preventingfurther incidents.My project would firstly involve attempting to further prove this concept, by showing that variousclosed-source software solutions and implementations do, in fact, contain features that were notnecessarily advertised by their developers (which in some cases may be vulnerabilities themselves, orlead to the discovery of vulnerabilities). I believe that it would be valuable to show this in manydifferent scenarios, so an attempt would be made to carry out this work on a more modern system toshow that this is still a current issue, as well as an older system to prove that the problem has existedfor quite a while. In short, the project's primary aim would be to determine the main advantages ofopen-source software from a cyber-security perspective.

从网络安全的角度来看，封闭源码软件开发项目比公开源代码的项目(换句话说，开放源码项目)更令人担忧。这主要是因为从安全的角度来看，开源软件可以提供的主要优势。作为公众的一员访问代码库，可以验证软件的内容。漏洞和漏洞很容易识别，并可以向软件开发人员推荐补丁，从而防止在恶意环境下使用它们。封闭源代码软件不能提供同样的优势，因为公众不能检查源代码并提出修改建议。此外，如果恶意用户要识别漏洞，他们可能会在被检测到之前利用它很长一段时间(在某些情况下，可能永远不会被检测到)。Weiss和Bailetti[1]进一步论证了这一点，他们指出，使用和开发开源解决方案有助于确保任何漏洞的知识在不同的组织之间共享，从而防止进一步的事件。我的项目首先将尝试进一步证明这一概念，通过证明各种封闭源代码的软件解决方案和实现实际上确实包含其开发者不一定宣传的功能(在某些情况下，这些功能可能是漏洞本身，或者导致漏洞的发现)。我认为，在许多不同的情况下展示这一点将是有价值的，因此将尝试在一个更现代的系统上进行这项工作，以表明这仍然是一个当前问题，以及一个较旧的系统，以证明问题已经存在了很长一段时间。简而言之，该项目的主要目标将是从网络安全的角度确定开源软件的主要优势。