How do you know your code is secure?

How do you know your code is secure?

The short answer is that you don't, and you can't.

Software engineering is really hard, and security software engineering even more so.

Part of what makes accusations like the kind made against BSD so insidious is that they are just about impossible to disprove. For anything but the most basic program, it's impossible to prove that isn't doing anything you think it shouldn't be doing. And even if you trust the code completely, do you trust your compiler? Or the people who wrote the compiler for your compiler? It's compilers all the way down.

Open source is neither necessary or sufficient for secure code. In some ways it may make you more vulnerable, and in some ways it may make you less vulnerable.

But in the ways that tightly-controlled open source makes you safer, it is precisely this: it is hard for an outsider to put a backdoor into it without other people noticing. In fact, the OpenBSD crypto codebase is probably the most difficult place in the world to do it. If you suspect backdoor code here, you have to suspect backdoor code everywhere.

(Some projects are very loosely controlled, and rightly so, because they aren't that popular or aren't used in environments where security matters.)

Calyptix pledges $1000 bounty for OpenBSD IPsec backdoor bug

There have been unsubstantiated claims that the FBI implemented backdoors and key-leaking bugs into the OpenBSD cryptographic framework.

Calyptix is pledging $1000 to the first person who newly finds such a bug in the IPsec implementation of the 4.7 or 4.8 release of OpenBSD before March 31, 2011. If it is not claimed by then, the $1000 will be contributed directly to the OpenBSD team.

Members of the OpenBSD team are eligible. :)

Other parties have made similar pledges, although obviously we cannot speak for them.

We are working on a formal definition of what would count as a bug.