This document summarizes some assumptions and challenges around testing the security of open source versus closed source software. It discusses how automated testing through unit tests and fuzzing works in theory but can be limited in practice. Manual testing or "bug hunting" is also explored for both commercial and free open source software, noting it may be easier to find targets in closed source code. The document aims to start a discussion on how security is evaluated differently for open versus closed source programs.
2. DISCLAIMER
› I am not against free / opensource software
› While there are different kind of licensing, I will use:
“Open source”, if the code is provided
“Closed source”, if the code is not provided
“Free”, if you don’t pay for it
“Commercial”, if you pay for it
› For the purpose of this presentation, the licensing
is not important
4. ASSUMPTIONS
1) “The code is continuously evaluated, through unit tests and
automated fuzzers.”
2) “If the code is available, then multiple eyes, in the past,
have evaluated its security.”
3) “While looking for vulnerabilities, open source and
closed source software tools are the same.”
16. WHO AM I
› Doing stuffs here and there about security
› Spending (too much) time in front of my
keyboard
› Passionate about information security
› Running my own company focused only
on high-profile offensive security services
Lorenzo «lord» Nicolodi