Information Security and Open Source Dual Use Security Software: Trust Paradox

Nmap, free open source utility for network exploration or security auditing, today counts for thirteen million lines of code representing four thousand years of programming effort. Hackers can use it to conduct illegal activities, and information security professionals can use it to safeguard their network. In this dual-use context, question of trust is raised. Can we trust programmers developing open source dual use security software? Motivated by this research question, we conducted interviews among hackers and information security professionals, and explored ohloh.net database. Our results show that contributors behind open source security software (OSSS) are hackers, OSSS have important dual-use dimension, information security professionals generally trust OSSS, and large organizations will avoid adopting and using OSSS.

[1]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[2]  Guido Hertel,et al.  Managing distance by interdependence: Goal setting, task interdependence, and team-based rewards in virtual teams , 2004 .

[3]  Guido Hertel,et al.  Motivation of software developers in Open Source projects: an Internet-based survey of contributors to the Linux kernel , 2003 .

[4]  Thomas W. Malone,et al.  The Dawn of the E-Lance Economy , 1998, Wirtschaftsinformatik.

[5]  Eric S. Raymond,et al.  The Cathedral & the Bazaar , 1999 .

[6]  Josh Lerner,et al.  The Simple Economics of Open Source , 2000 .

[7]  Michael J. Gallivan,et al.  Striking a balance between trust and control in a virtual organization: a content analysis of open source software case studies , 2001, Inf. Syst. J..

[8]  Rishab Aiyer Ghosh,et al.  Interview with Linus Torvalds: What motivates free software developers? , 1998, First Monday.

[9]  Katherine J. Stewart,et al.  The Impact of Ideology on Effectiveness in Open Source Software Development Teams , 2006, MIS Q..

[10]  Eric A. von Hippel,et al.  How Open Source Software Works: 'Free' User-to-User Assistance? , 2000 .

[11]  Sebastian Spaeth,et al.  Carrots and Rainbows: Motivation and Social Practice in Open Source Software Development , 2012, MIS Q..

[12]  Sandra Slaughter,et al.  Understanding the Motivations, Participation, and Performance of Open Source Software Developers: A Longitudinal Study of the Apache Projects , 2006, Manag. Sci..

[13]  T. Das,et al.  Between Trust and Control: Developing Confidence in Partner Cooperation in Alliances , 1998 .

[14]  James H. Gerlach,et al.  An empirical analysis of open source software developers' motivations and continuance intentions , 2007, Inf. Manag..

[15]  Kevin Crowston,et al.  Open source software projects as virtual organisations: competency rallying for software development , 2002, IEE Proc. Softw..

[16]  Lee Sproull,et al.  Essence of Distributed Work: The Case of the Linux Kernel , 2000, First Monday.

[17]  Paul Kavanagh,et al.  The Open Source Definition , 2004 .

[18]  Linus Torvalds,et al.  Just for Fun: The Story of an Accidental Revolutionary , 2001 .

[19]  Jun Zhang,et al.  Security Patch Management: Share the Burden or Share the Damage? , 2008, Manag. Sci..

[20]  Karim R. Lakhani,et al.  Why Hackers Do What They Do: Understanding Motivation and Effort in Free/Open Source Software Projects , 2003 .

[21]  E. Anders Eriksson VIEWPOINT: INFORMATION WARFARE: HYPE OR REALITY? , 1999 .

[22]  Chris DiBona,et al.  Open Sources: Voices from the Open Source Revolution , 1999 .

[23]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[24]  Stephen Taylor,et al.  Validation of Sensor Alert Correlators , 2003, IEEE Secur. Priv..

[25]  Alexander Hars,et al.  Working for Free? Motivations for Participating in Open-Source Projects , 2002, Int. J. Electron. Commer..

[26]  Pamela J. Hinds,et al.  Distributed Work , 2002 .

[27]  J. Harrison,et al.  Managing and partnering with external stakeholders , 1996 .

[28]  William M. Evan,et al.  Dual‐Use Technology In the Context of the Non‐Proliferation Regime , 2006 .

[29]  Margit Osterloh,et al.  Open Source Software Development - Just Another Case of Collective Invention? , 2004 .