Given enough eyeballs all bugs are shallow: True or False?
From Eugene Siu's blog: https://blogs.msdn.com/esiu/archive/2007/10/11/given-enough-eyeballs-all-bugs-are-shallow-true-or-false.aspx
"Given enough eyeballs all bugs are shallow." I do agree if more right-minded folks look at a piece of code, it would help identify both security and non-security bugs. This premise is built on the assumption that all reviewers have the best intentions in mind. However, do all people have the best intentions in mind? If all do, we will not need law enforcement officials.
Obviously there will be some malicious and devious "eyeballs" out there. Rather than identifying bugs, they plant bugs in open source softwares. This attack is named "Cross-Build Injection". Fortify just published an article with reported incidents related to OpenSSH, SendMail and IRSSI. Check out https://www.fortifysoftware.com/servlet/downloads/public/fortify_attacking_the_build.pdf.
Comments
- Anonymous
October 10, 2007
PingBack from http://www.artofbam.com/wordpress/?p=7064 - Anonymous
October 10, 2007
Is it different from phone home? typically Phone home collects some personal data or trend and report to Microsoft. - Anonymous
October 11, 2007
The comment has been removed