Linus’ Law, named in honor of Linux creator Linus Torvalds, has for nearly two decades been used by some as a doctrine to explain why open source software should have better security. In recent years, open source projects and code have experienced multiple security issues, but does that mean Linus’ Law isn’t valid?
According to Dirk Hohndel, VP and Chief Open Source Officer at VMware, Linus’ Law still works, but there are larger software development issues that impact both open source as well as closed source code that are of equal or greater importance.
“I think that in every development model, security is always a challenge,” Hohndel said.
Hohndel said developers are typically motivated by innovation and figuring out how to make something work, and security isn’t always the priority that it should be.
“I think security is not something we should think of as an open source versus closed source concept, but as an industry,” Hohndel said.
In Hohndel’s view, the key question isn’t about software development models, but rather about having an architectural design that makes software more resilient. For VMware specifically, he said the company spends a lot of time looking at attack surfaces. For example, with the PKS (Pivotal Container Service), which is a Kubernetes container orchestration distribution, a core component is VMware NSX. With NSX, Hohndel said an organization can segment a network, reducing the attack surface.
Hohndel said the idea that many eyeballs makes all bugs shallow only works when there are multiple eyeballs. In Hohndel’s view, the Linux kernel development process is a good example of an open source project that does in fact perform proper code review.
“One of the biggest challenges for any software product, whether it’s open source or not, is to get enough qualified reviewers to make sure that you don’t get overwhelmed by the speed of innovation and you take the time to actually do decent code review,” Hohndel said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.