Given enough eyeballs all bugs are shallow: True or False?

"Given enough eyeballs all bugs are shallow."  I do agree if more right-minded folks look at a piece of code, it would help identify both security and non-security bugs.  This premise is built on the assumption that all reviewers have the best intentions in mind.  However, do all people have the best intentions in mind?  If all do, we will not need law enforcement officials.

Obviously there will be some malicious and devious "eyeballs" out there.  Rather than identifying bugs, they plant bugs in open source softwares.  This attack is named "Cross-Build Injection".  Fortify just published an article with reported incidents related to OpenSSH, SendMail and IRSSI.  Check out http://www.fortifysoftware.com/servlet/downloads/public/fortify_attacking_the_build.pdf.

Published 11 October 07 12:18 by esiu

Comments

# ACE Team - Security, Performance & Privacy said on October 11, 2007 3:19 AM:

From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/11/given-enough-eyeballs-all-bugs-are-shallow-true-or-false.aspx

# Noticias externas said on October 11, 2007 3:22 AM:

From Eugene Siu's blog: http://blogs.msdn.com/esiu/archive/2007/10/11/given-enough-eyeballs-all-bugs

Anonymous comments are disabled
Page view tracker