Home > Articles > Security > Network Security

  • Print
  • + Share This

Review Without Peer

This software peer review hole is not universal, but it is very common. Commercial corporations sometimes do independent peer review. Sun's Java community is a vigorous example. It's in commercial corporations that independent peer review is least used, though. The lack of aggressive and unfriendly scrutiny of the crown jewels increases the number of "defects in execution" that are missed. The lack of political will and the profit motive guarantee that many "defects in intent" will remain. A feature that brings money to a vendor is a defect of intent from the consumer perspective. It's a commonsense idea: If everything else is equal, consumers would rather have software that doesn't lock them into future spending. Consumers would rather have software that just does what they want it to do. They'd rather not pay vast sums for inkjet cartridges, to draw a parallel example from consumer electronics.

On the other hand, most open source projects that are of any meaningful size have excellent peer-review processes for "defects in execution." The slow-but-steady forward pace of many such projects and their high availability and security of mature projects is ample evidence. Good examples include the Linux kernel, GCC compilers, and the Apache web server. Open source projects are not perfect—a certain critical mass of effort is required—but overall the transparency of the software encourages and supports peer review.

The argument between software products such as Microsoft Windows and Linux has lately been bitterly fought on the field of stability and security. When you examine software production from a process perspective rather than a feature perspective, it's clear that closed commercial software can't ever hope to be free of "defects of intent." Furthermore, closed commercial software can only match open source software on "defects of execution" if the investment made is large enough to compensate for the weaker review processes that closed source projects use.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.