[Biojava-dev] biojava / Security

Chris Abajian chrisa at espressosoftware.com
Fri Jul 25 18:43:23 EDT 2003 

Hi Rainer

I have a couple of comments and suggestions re security & biojava. 
Forgive me for such a long answer, but I take something of an interest
in security.

I don't know what other policies or programs you have in place with
regard to security, but to be really effective you have to look at the
big picture.  I expect that biojava is only one component among the
many, proprietary/free, closed/open source etc. that your company uses
in its daily work.  Looking at the big picture involves identifying 
different threats and weighing the costs/benefits of precautions you
might take against them.

There's no such thing as completely secure.  To put it another way,
given motive and sufficent means (money, time, computing resources) your
systems can be compromised.  Period.  Firewalls can be penetrated,
keystroke loggers (little dongles you slip between the keyboard and
computer) can capture passwords and of course there's always
old-fashioned methods like blackmailing someone who works there.

It's really a question of costs vs benefits.  How much is your
intellectual property worth?  How much money, time and effort and
inconvenience are you willing to spend protecting it?  Where are the
biggest risks?  Where do you get the most return from different efforts
to protect it?

Looked at from this perspective, the issue of whether biojava increases
your risk load and whether specifically it's being open source makes
that better or worse seems less significant.  Yes, it is certainly
possible that someone could insert malicious code into ("trojan")
biojava.  Using it increases your risk.  That's true of every single
software component you use, including the operating system, editors,
screensavers, email clients, etc.  Attacks against these components are
plentiful, easily available and effective.  So why try to break in
through a tiny window on the third floor (biojava) if it's easy to pick
the lock on the front door (say, an unpatched IIS installation)? Are you
sure you don't have worse things to worry about?

As you say, biojava is an important part of your daily work.  The
question is, do the costs outweigh the benefits?  You could remove all
computers from your workplace.  That would definitely make the network
more secure.  Does using it help or hurt your company more?

The particular nature of biojava as an open source project (as opposed
to closed-source, proprietary) arguably makes it more secure rather than
less. The consensus among security and cryptography experts is that in
the long run, all else being equal, open source software tends to be
more secure.  The reason for this is that while it's easier for someone
to insert malicious code than with a proprietary product that has
restricted access to its code base, there is also a greater likelihood
that someone else will discover any malicious code.  Similarly, flaws in
encryption algorithms or protocols are likely to be discovered sooner
with more people looking at the code.  "With enough eyeballs, all bugs
are shallow,"  to quote Linus Torvalds.  There's a lot bit of activity
in the biojava codebase and a lot of users.  That makes for a lot of
eyeballs.  In the end I think this principle is just peer review by
another name.

I strongly recommend _Secrets_and_Lies_ by Bruce Schneier (Johyn Wiley &
Sons, New York, 2000),  It contains some good discussions of both
business and technical issues with regard to network security.

On Fri, 2003-07-25 at 09:06, Warth,Rainer,LAUSANNE,NRC/BAS wrote:
> Hi,
>    biojava has probably became an import part of our daily work and we would
> not like to miss it. However, I was just recently asked within the company,
> what would be the security risk by using software from a public project such
> as biojava. Could it be possible that sombebody submits undesired code into
> the biojava package, which would end up on my machine and cause harm to our
> intranet.
>    Does anybody has some suggestions where to learn more about this type of
> problem ? Maybe somebody can propose a good strategy to protect againt this
> type of security risk ? 
> 
> Best, Rainer
> 
> Dr. Rainer Warth
> Research Scientist Bioinformatics
> 
> Nestle Research Center
> NESTEC LTD.
> Vers-Chez-LES-BLANC     phone: +41/21 785 87 13
> 1000 LAUSANNE 26          FAX: +41/21 785 89 25
> SWITZERLAND            e-mail: rainer.warth at rdls.nestle.com
> 
> _______________________________________________
> biojava-dev mailing list
> biojava-dev at biojava.org
> http://biojava.org/mailman/listinfo/biojava-dev
-- 
Chris Abajian
Espresso Software Development, L.L.C.
http://espressosoftware.com
206.910.4903

Espresso Software Development provides software development and
consulting services. We develop, deploy and support scalable,
multi-tiered, high-availability web, e-commerce and data-processing
applications.

More information about the biojava-dev mailing list