360
Information Security

Conclusions

What makes this software so uncommonly good?

You may think it backwards to first come up with the list and then figure out the criteria for it, but like most information security professionals we are intensely pragmatic. It is because these things are in common use that they make the list, and from this list we hope to extract a fingerprint for the "next" application to recommend. What has compiling this list taught us? How can we recognise "good" software given what this list teaches us? We have come up with a screen, a set of common criteria against which to evaluate potential candidates:

  • Wide Deployment. Deployed in many dangerous situations. Any fragile bits have long since broken off. Wholly flawed applications have long since disintegrated.
  • Good Documentation. We would extend this to "good community of users", it could mean good code comments, man pages, or even just plain readable code. Some of the best applications require very few docs, note that good does not necessarily mean large, in-fact in many cases there is an inverse correlation of documentation quantity to quality.
  • Simplicity. All of these applications perform a clearly defined task or group of tasks, they manage to avoid feature creep. Many have been in use for 20 years. Making predictions is a good way to look stupid, but I dare say that some of them will still be in use in another 10 years. What does this say for many commercial software security vendors with their pluggable architectures, overarching management frameworks, and database driven information stores?
  • Low (no) Maintenance. Install, configure, and forget. Low (no) maintenance (fit and forget) is good. While we would not advocate that you really just completely forget about security critical software components, low maintenance software is the system administrator's friend.
  • Safe in its default state (no sharp edges). Although many of the packages mentioned here have huge feature lists, you can discover their depth slowly and safely. They can't harm you in default mode, and they work as expected, with few bugs.

Closing Remarks

What do you think of these criteria? What other applications would you nominate that meet the screen? We are particularly interested to know what the quotient of security related bugs per line of code are for these applications, and how that compares with other software. What about the number of bugs in community-developed versus dedicated-team-developed projects? Let us know your candidates, measured against this set of criteria and we will publish the results in a future article.

Did I mention that the staff at 360is helped build and run the worlds largest ISP using most of this software?

Sources

Three Sixty Information Security is grateful to the authors of software mentioned in this article, many of whom made time to submit their comments and quotes for inclusion. We would also like to thank the contributors of official and unofficial documentation to these projects, the security newsgroups, subject-matter-experts, and the open source community in general.

Our clients