Open Source Security: Still a Myth
Pages: 1, 2
Bonfire of the Vanities
The people you want looking at your free software are for the most part doing other things with their time, such as auditing commercial software. Still, those in the open source community never seem too worried about security in their own software. It seems like every open source developer under the sun thinks he understands security well enough to avoid security issues, even if he isn't too surprised when other developers are not quite as competent; plenty of security advisories for open source applications come out every week.
A disturbing trend I've noted is that many developers (open source or not) will pick up a little about security and think they know a lot. For example, when developers learn about buffer overflows, they generally wonder how they can allow attackers to execute arbitrary code. Usually, in looking for an answer they'll find out all about stack overflows and how easy it is to overwrite an address that the program will quickly jump to, and then put attack code in that address. A few times I've seen as a result those developers taking all their stack-allocated buffers and turning them into heap-allocated ones (that is, allocated by malloc). They tend to think there's nothing critically exploitable for an attacker to overwrite on the heap.
Usually they're wrong. Even if there isn't security-sensitive, application-specific data, and even if there aren't function pointers stored in memory that will later be dereferenced, there is usually something called the global offset table (GOT), which helps position-independent code access global data. The GOT contains function pointers that real programs dereference.
Then there's the case of SSL. In my years of doing security audits, I've learned that few developers understand how to use SSL properly. They tend to view it as a drop-in replacement for traditional sockets--just rewrite your Berkeley calls with the corresponding SSL API calls!
Unfortunately that's not how SSL works. In order for an SSL connection to provide confidentiality, the client and server must authenticate each other. Most SSL APIs do not perform authentication by default, due to the wide variety of authentication requirements. In fact, proper authentication often requires pages and pages of code (see the Secure Programming Cookbook for details).
Developers usually haven't heard that; when they do, they tend to become defensive. Sometimes they'll insist that there's no problem until someone can actually demonstrate a working attack. That is, instead of fixing potential problems and moving on, they'll try to force security auditors to spend hours of precious time demonstrating exploitability. This actually tends to be more of a problem in the open source world than in the commercial world, because commercial projects typically are driven more by schedules. Managers often are already worried about sticking to their schedule and will try to railroad developers into taking the easy road, even if they start to question the audit results. In the open source world, developers tend to be quite independent, even when people are managing a project. With such projects, it's rare that anyone worries about a negative impact should a release take a bit longer to ship.
The Market for Secure Software
Ultimately, building secure software well is incredibly challenging for the average developer. Too much must be known in order to master all the issues that might lead to security risks, particularly considering the obscure libraries that might be misused and the arcane matters that can go wrong when adding cryptography to an application. Developers shouldn't be quick to assume that they have security issues well in hand.
Certainly, commercial software organizations can fall into similar traps by assuming that they have security under control. However, commercial organizations are more likely to take security seriously, simply because they are more likely to have paying customers demanding some level of security assurance.
Many market segments have not only identified security as a big concern but also realized that the root causes are better confronted by the development team, not network engineers. In particular, financial companies and government organizations are looking for assurance that the software they acquire is likely to jump some basic security bar.
People who want to sell software to organizations in these markets have to answer tough questions about the security properties of their software. Many times, potential customers must fill out extensive documentation about their products and the processes and technologies used to build them. Sometimes, potential customers must even submit their software to independent third-party source code auditing before purchase. For instance, the U.S. Navy is currently working on the prototype of a process that all vendors will go through before they may sell software for use on the Navy's intranet.
Of course, the customer won't pay for software security. Customer demand will force the software suppliers to address the issue. Even the Navy's prototype requires that vendors pay for their assessments.
Who will pay for open source software assessments? Ultimately the highest-profile open source software may go through the wringer if behemoths like IBM think it's worth the cost. Smaller projects are unlikely to receive that kind of treatment.
Security assurance isn't just about assessments, either, and the security-aware customer knows it. It's a worn but true cliché that security can't be bolted onto an application after the fact. It needs to be considered from the beginning. A positive, cost-effective change in security requires a change in process.
Customer pressure is starting to have a big impact on the development processes of development organizations. For example, Microsoft may have traditionally had a bad reputation for security, and that reputation may even hang over it still. Nonetheless, for the past two years it's made a dramatic effort toward improving software security throughout the organization. It doesn't just conduct security assessments of software after it's written. It conducts extensive architectural security assessments of every piece of software; it has its testing teams perform thorough security testing; it puts all its developers through awareness programs; and it holds developers accountable for their security mistakes. Microsoft realizes that it will be years before it has a huge impact on deployed software and that it may be years before it's changed industry perceptions, yet it has made a tremendous long-term investment in order to reach that point eventually. Many other big software vendors such as Oracle are just as serious about this issue.
These organizations have spent a lot of money improving their security process, knowing that if they address their security problems earlier in the life cycle, reliability goes up and, in the long term, cost goes down. Because open source projects aren't driven by traditional financial concerns, they're less likely meet the needs of the market. Open source projects tend to focus more on what the development community finds interesting rather than what potential users find interesting. The lack of financial incentive results in a relatively poor feedback mechanism.
That's one big reason why even though some government and financial organizations have begun to adopt open source software, many remain skeptical or cautious about going down the path, adopting only the most prominent, well-vetted open source projects (such as Apache, a rare bird in the open source world in that it actually has an appointed security officer responsible for the security posture of software). Whether true or not, there's a reasonably widespread perception that open source developers are either part-timers or kids who focus on providing great functionality but sacrifice reliability as a result.
What Should the Community Do?
I believe that in the long run, open source software does have the potential to be more secure than closed systems, since open source projects can do everything commercial projects can. When high-quality analysis tools become more common, hopefully the "many eyeballs" phenomenon will work. Still, when it comes to security, money looks like it will be a big catalyst for positive change--and the open source community is largely insulated from it.
If the open source world wants to make sure that security is not an impediment to adoption, then it needs a strong answer. First, open source projects need to migrate to software engineering processes that resonate with the industry. Most projects are devoid of structured process. Programmers who use it tend to take the Extreme Programming approach, which may end up being too liberal for many buyers.
Of course, too much process can be worse than too little. Plenty of commercial software applications have failed for spending too much time building models instead of software. Yet, particularly for the purposes of outside security review, documenting software architecture can help tremendously. Conservative customers will feel much better about work where they can see that security is an ongoing concern, not something handled in an ad hoc way.
A little bit of process can go a long way here. Produce a sketch of your system architecture, and label network connections with how you handle things like confidentiality, message and entity authentication, and input validation. Keep it updated as you build the system. Make it easy to see from the code that you actually implemented the design. Just showing that you thought about security issues from the beginning and followed through on them will make many people far more comfortable.
Second, open source projects need to improve security awareness across the board, integrating security into their development in much the same way that Microsoft is doing. Particularly, open source projects need to produce relevant artifacts such as security architecture documents that demonstrate a careful response to security risks. Additionally, the open source community will need to focus on other security-aware functionality, such as better audit trails for anything that might contain financial data, as Sarbanes-Oxley and other similar legislation is becoming a major factor in many acquisition processes.
Third, the open source world needs to recognize the importance of independent, third-party auditing. The community needs to develop security auditing expertise that it applies to projects, particularly as better automation and educational material become available. The community should be on the lookout for creative arrangements to persuade the industry to pay for independent security audits and certifications, as such matters are highly likely to grow in importance and are unlikely to be free.
Comparing all open source software with all commercial software is tough. Certainly, when it comes to security, there are good cases and disasters in each camp. I do believe that from a security point of view, Apache is probably better off than Microsoft's IIS and that djbdns is better off than almost anything competitive. While I do think the open source community has a long way to go in general, I don't think it is necessarily worse on the whole. I would evaluate it only on a case-by-case basis.
In the end it doesn't matter if open source systems tend to be more secure than proprietary systems, because on the whole they aren't yet coming close to being "secure enough."
John Viega is CTO of the SaaS Business Unit at McAfee and the author of many security books, including Building Secure Software (Addison-Wesley), Network Security with OpenSSL (O'Reilly), and the forthcoming Myths of Security (O'Reilly).
Return to the Security DevCenter
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 23 of 23.
-
Does the author really knows about open source software?
2004-09-21 04:37:42 lozano [Reply | View]
-
Does the author really knows about open source software?
2005-01-18 20:56:44 musnat [Reply | View]
It seems to me that you are not aware of open source at all. Today all it takes to be an open source developer is to open a software project at sourceforge. When people say open source software or open source community, they talk about these people.
Second, you are also clearly have no idea how Linux is implemented. There was no software engineering practices used at anytime. Denying this only makes you are an unreliable open source zealot.
Apache is part of the open source, apache is not open source and open source is not apache. When you talk about open source, giving apache as an example is a pretty stupid thing to do, because Apache is being supported by IBM and many other companies.
-
Awareness is step one.
2004-09-18 09:55:25 Trusty [Reply | View]
I think the author makes good points that apply to both open and closed source camps. I do not detect any intentional FUD making going on.
Awareness and education of security issues are a necessary first step. Let's be honest and admit that it is a good thing that Microsoft has upped their efforts in this area, even though many would say too little, too late.
The next step is actually writing secure code, and there will be some developers who will excel at this and others who will be less than stellar, no matter how much effort they put in. There is no doubt that the final result will be less if you do not have the goal of strong security at the outset.
While this might be a simplification, these discussions seem to get muddled by those folks who have their tail feathers ruffled whenever the topic overlaps into FOSS vs. proprietary issues. The process might be different but the end results should be the same.
The company I am with will soon be selling a product that converts a Linux system into a trusted operating system, with mandatory access controls and fine grain auditing of all system users. It does not trust the users or the applications. It provides core security and the auditing capability that the author calls for. The base module is open source, but we sell commercial tools that save time and money for the enterprise.
I fear that rather than looking at whether the product really works, energy will be wasted debating the commercial aspects of our products. That is the shame of these arguments.
-
Fair point if a little fearful of open source
2004-09-17 19:42:01 cardiofile [Reply | View]
The main point of this article is fair: just because software has it's source code open doesn't necessarily imply that it has better security than a closed source application.
True enough. However, I don't believe that there is anything about open source that inherently disadvantages software from a security point of view. Proprietry software is at a disadvantage from the point of view that it more difficult for a buyer to assess how secure a product is (independent third parties can't audit source code).
Current practice may well be more of a indication of a lack of understanding of security issues in the wider software community (proprietry and open source) than it is specifically to open source.
If an organisation wishes to use an open source product and they are concerned about security doesn't it make sense to employ people to audit the source code (contribute to a code auditing project)?
Perhaps the open source community needs to establish more groups (I know of a few) to perform securiy audits; if third party audits are so important to security then open source seems to me to be in a much better position due to the free availability of source code to enable this than proprietry code.
And as a final point, commerical is not mutually exclusive to open source, there's no reason why a commerical organisation can't contribute to FOSS development (e.g. Sun, IBM etc.)
-
a little editing --
2004-09-17 18:05:27 joelrees [Reply | View]
In the paragraph before "The Market for Secure Software", shifting from the problems amateurs have with SSL (TLS?) to the laziness amateurs have when faced with complex security interactions, you say:
<blockquote>
That is, instead of fixing potential problems and moving on, they'll try to force security auditors to spend hours of precious time demonstrating exploitability. This actually tends to be more of a problem in the open source world than in the commercial world, because commercial projects typically are driven more by schedules. Managers often are already worried about sticking to their schedule and will try to railroad developers into taking the easy road, ...
</blockquote>
Are you sure you didn't mean to say, it actually tends to be more of a problem in the commercial world because of the schedules?
-
a little editing --
2004-09-18 09:54:11 stinkingpig [Reply | View]
No, he's saying that because of the tight timelines, people can't waste days and weeks on arguing over whether something should be done. If the developers and the auditors disagree over whether the implementation should be changed, then they put their relative cases forward in a meeting with project management and/or product management, a decision is made, and the results are acted on. If one side doesn't like the decision, they may grumble but they're not able to do much more than that unless they want to quit their job.
In the open source world, disagreements can produce complete deadlock and a forked or competing project. XFree86 > X.org, anyone? LRP > LEAF? KDE vs GNOME vs a thousand others? I like the wild west atmosphere of it because I get to pick and choose a set of software that supports my needs well, but supporting a few thousand PEBCAKs with Linux desktops would be an interesting experience.
-
a little editing --
2004-09-17 18:20:48 joelrees [Reply | View]
Separating the edit from the critique, I think the error reflects the fuzziness of the approach. It seems to me that the author, recognizing that the many eyes argument shifts in quality for the small audience projects, but not thinking through.
As one reply has already noted, at the very minimum, open source offers more potential for external audit than closed source. Closed source contains inherent barriers to external audit. Just like with voting machines, it is the external audit that allows for real engineering audits to begin.
One more pet peeve: commercial vs. open source is a false argument. Large audience open source is without exception commercial.
-
Why, why, why?
2004-09-17 17:15:35 kendyke [Reply | View]
Why is it that everytime some 'security guru' wants to disparge FOSS that pick on a seriously messed up software package like wu-ftp?
Yes, there is bad FOSS just as there is bad closed source commercial software.
They are worried that open source developers are too much "hacker" and too little "engineer," cobbling together solutions without going through a structured software engineering process (such as requirements, specification, and analysis).
When someone decries the lack of "requirements, specifications, and analysis" it tells me they think inside the box of a comp. sci. training program. Yes, that is a structured process that can help acheive quality code (emphasis on 'can'). But there is more than one way to get there and that is something they do not teach at university.
No, I am not going to provide additional support for my argument in this post. It will require a lengthy essay that is working its way up my 'to-do' list. Hopefully, someone else will write it before it gets to the top of my list but be that as it may.
P.S. I have "Secure Programming Cookbook" on my shelf though I not done more than the initial browse at the bookstore that induced me to bring it home.
cheers,
I think, therefore, ken_i_m -
Why, why, why?
2006-02-03 22:21:24 ChrisMcKnight [Reply | View]
Hmm, you're too lazy to post additional support for your argument, and you're too lazy to read his book? Perhaps you are the wrong person to act as a spokesman for Open Source, cause professional level programmers will make you look stupid.
-
Drivers behind security
2004-09-17 16:23:43 martin.langhoff [Reply | View]
High stakes deployments drive security. Security starts to be addressed when deployments are highly exposed, either because they are many and on the open internet dealing with a lot of traffic, or because wealthy clients consider them business critical.
The risk of major annoyance to a large number of sophisticated users _or_ annoyance/financial loss to wealthy players is the "market feature" that makes the security of a software product evolve.
Wealthy players assert pressure on proprietary vendors (eg Oracle) or pay auditors/programmers to audit&fix FOSS (Postgres, MySQL). Many non-wealthy users can put some pressure on a proprietary vendor (IIS), and can do a lot more for a FOSS product (Apache).
In the end, there is an important degree of market dynamics in both models, in particular with the sophistication of the buyer (awareness of security as an important factor). Some proprietary tools hare more mature and have had more high-stakes deployments, we should expect their security to be more mature.
A few observations remain:
- in the many small interests scenario, FOSS is
more effective than proprietary (Apache/IIS).
- in the wealthy client scenario, it is hard to define which is more efficient, but in the case of FOSS, clients need to be hands on.
- large markets of non-sophisticated users are ill-served -- noone seems to be interested in providing security to those who don't care.
Background: I have been working with FOSS for several years, and done several security audits of FOSS software. Some resulted in security patches being offered to the project maintainers. The security audits were paid for clients interested in high stakes deployments. I have also had to deal with exploited servers and workstations where the vector had been flaws in FOSS and proprietary software.
-
Gee, not even a mention...
2004-09-17 15:44:06 Amgine [Reply | View]
of the "many eyes" which belong to hackers and whose attacks might exploit (and make public) security flaws.
Working with phpWS a while back, a series of sites got paved. The hacker was polite enough to explain where the security hole was, how it was exploited, and give suggestions for how to fix it. He had his fun, we got a stronger system.
I don't know of many proprietary systems which have this kind of resource. But then, we didn't threaten him with jail time and punitive civil judgements.
Amgine
-
An extremely flawed article
2004-09-17 11:23:22 McAction [Reply | View]
This was very disappointing to read on oreillynet.
1) Reputation is as valuable a motivator as money. No developer wants their project to be thought of as insecure. Microsoft's biggest problem and the cause of their imminent downfall is that no one trusts them.
2) There is NO guarantee that propriety software developers run these stringent audits the author fantasizes about. FOSS may be guilty as charged, but so is EVERYONE else.
3) The not-so-subtle implication throughout the article that open source developers are necessarily average is insulting and obviously wrong. Average and below average developers are plentiful in the commercial software industry--anyone have a different experience?
4) Near the end of the article he claims that security has to be measured on a case-by-case basis yet he painted with a broad brush throughout the entire article. So, which is it?
5) Not yet "secure enough"? Daily we relearn that the pinnacle of proprietary development (Microsoft) causes more security headaches than any other vendor.
Overall, this was an extremely sad article. It just did not have any positive value.
-
An extremely flawed article
2004-09-17 11:26:14 McAction [Reply | View]
I forgot the big one: with open source at least anyone and everyone has the opportunity to do whatever security audit they wish. Try demanding that you neeed to audit the source code of Outlook before you deploy it--see what Microsoft says. Good luck!
Case closed. -
An extremely flawed article
2004-09-17 11:58:34 Shane_Brodie [Reply | View]
I get such a kick out of reading the reactionary articles submitted by card-carrying members of either the commerical software industry or the open source community that I can't help but chuckle.
No-one in their right mind thinks of software in the strictly black and white ideals of commercial or open source. Following either path blindly would be foolhardy.
Stating that Microsoft software is insecure, while it "may" be true, it can hardly be held up to open source and compared. After all open source does not have tens of thousands raving "anti open source" troglodytes actively working to discredit it.
Real programmers, IT Managers, and knowledgeable end-users know that they can get the best bang for their dollar/yen/euro/peso/etc. etc. by striking a balance on all of the alternatives.
Why can't we all just get along ... -
I'm Not Convinced
2004-09-17 11:55:30 chromatic |
[Reply | View]
I think that to prove your case, you'd have to prove that having the source code available for people to audit actually leads to widespread audits and security fixes. Otherwise, you're arguing a point that John deliberately didn't address.
Certainly the availability of auditable code and the ability to produce patches might mean that open source code could have more people doing security audits and fixing problems before exploits appear -- but postulating that people could fix problems doesn't mean that people will or actually do.
Unrealized potential may be nice to have, but it doesn't do really do anything for you until someone puts work into realizing it.
I'm not interested in anecdotes and I'm very disinterested in comparisons between Apache and IIS or Outlook and mutt. I want real data, not handwaving. -
I'm Not Convinced
2004-09-17 12:17:08 McAction [Reply | View]
I absolutely agree that potential doesn't equal action and that some hard data would be very helpful. However, there was no hard data in the article either. I used the same sort of arguments that the author used, so I guess my comments probably were lacking in value as well.
-
I'm Not Convinced
2005-01-18 21:03:45 musnat [Reply | View]
I think you are using open source zealtory, which has no merit at all.
Microsoft does share its source code with governments. That means a lot to anybody who is making a decision to buy Microsoft software. Everybody knows for sure that Microsoft's software has been checked out by other people who doesn't have a common interest to cheat you, China vs US etc...
On the other hand, we don't know who is really checking out open source. There is no formal way of knowing that.
You have no arguments, I think, you are simply one of the thousands of open source zealots who is more than ready to lie and distort facts or come up with all sorts of nonesense.
-
Interesting but somewhat meaningless
2004-09-17 10:51:32 stonehippo [Reply | View]
The entire argument for whether closed or open source produces more secure code is highly flawed, and for the exact reason that is stated early on in this article: the question must be handled on a case-by-case basis. Discussing the generalities of which process produces more secure software is an almost useless exercise: the particular team creating the software, their knowledge, skills, and inclinations, combined with processes, are what determine the quality of a software product.
The idea that there is a unified "open source community" is laughable; it's no more true then saying that there's a unified closed source world. While many of the people involved in F/OSS development share some basic ideals about how software should be developed, the re's nothing that guarentees that they're all competent. The same is entirely true in the closed source world: if a group of developer's pay attention to security and has the skill to really identify issues in the code, then holes will be closed.
I agree that too much has been made of the "many eyes" argument. However, there is some validity to the idea of "selected eyes".
An advantage of open source in this arena is that independent auditors may choose to check for security issues and bugs in the code, and can fix them when they are found. With closed source, something like this requires a special arragement with the rightsholder. Note that this does not make the F/OSS software more secure by default; if no one with the right skills is looking at the code, holes won't be found. But at least a company or individual has the option to commence such an audit independantly. It for this very reason the groups like the NSA have adopted Linux; they don't expect that the community at large has the expertise that they have in house, but they can leverage the work of the community and avoid re-inventing the wheel.
The fact is, some F/OSS projects are mature or lucky enough to have their own processes for finding and fixing security issues: the OpenBSD and Mozilla Firefox projects have both had active, and fairly successful, security activities. Others are not. At the same time, there are plenty of examples of closed source projects and products that have received diligent security fixes (and some notable ones that have not). It's not a question of open or closed source: it's a question of thinking about security or not.
-
The heart is too far near the end
2004-09-17 10:32:52 aaronbarlow [Reply | View]
From the article,
"In the end it doesn't matter if open source systems tend to be more secure than proprietary systems, because on the whole they aren't yet coming close to being 'secure enough.'"
I think that this should have been the thesis of the article. Rather than focus on the difference between MS and Open source, which is a bit of a generalization on both sides, I think the article should have focused on what the Open source community could do to produce software that is "secure enough" (if there ever can be such a thing). Is there a way to leverage those many eyes into producing a more secure profuct? Why is extreme programming less secure? How do we produce open source security programming experts?
Secure software seems to be the contest that everyone is trying to win. I would rather read about how to win more than who is in the lead.
Aaron
-- Feel free to ignore my opinions. They're ignoring you already.
-
Fair comment but...
2004-09-17 09:06:49 smorris12 [Reply | View]
It is fair comment that the open source community should not be complacent in its security auditing, but there is power in numbers.
If experts were all that was needed to assure secure computing, Microsoft would have the most secure software available. They hire the top grads, who probably have reasonably solid procedures for auditing software, and the resources to ensure the testing is done. All this results in software that is at the very least no more secure than open source software (I would argue even less secure than open source)
We may hate the thought, but the masses may indeed be smarter than the experts at Microsoft, IBM, Apple, and CA...
-
Summary
2004-09-17 05:44:21 dscotson [Reply | View]
I think your argument could be summarized as follows
"Small, underused, badly-coded open source apps, written for their own amusement by amateurs and volunteers who overestimate their own abilities in the fundamentally difficult field of security will have more problems than large, widely-used, well-written, proprietary apps authored and audited by humble yet skilled full-time professionals for big business."
Unfortunately, you could reverse the positions of 'open source' and 'proprietary' and get an equally true assessment (in my opinion).
The fact that the word 'commercial' is used repeatedly as the antonym of 'open source', suggests you think that it is, at the very least, uncommon for that reversal to hold true. This a symptom of the wider problem that ensures the article misses the more interesting questions e.g.
If Sun open sources Solaris (as they claim they will) will it become more or less secure?
I'm guessing the answer would be "that used to be commercial [sic], therefore it doesn't count as open source". But I have the intuition that the combination of open source and commercial, professional development will be more effective than either alone. -
Summary of summary
2004-09-17 09:45:04 chillhaze [Reply | View]
With all due respect, I think your rebuttal could be summarized as follows:
I'm an open source supporter, and the author has gored my ox. Despite stating quite plainly that open source was no more insecure than 'commercial' software, just not better as some people have claimed, he must be wrong because ... well, just because.
I have an opinion that things are different, though I have no real proof to offer at this time.
I would prefer the author discuss the concept that 'commercial software != open source software', because I think that is more interesting.
I would also request the author consider this poorly fleshed-out example, which does not actually conflict with the article. My intuition is that somehow combining open source and "closed, professional development" would be somehow better than current practices, even though I can offer no reason for such an outcome.
Wouldn't a simple "You're wrong, dead wrong" have sufficed? -
Correction
2004-09-18 05:59:05 dscotson [Reply | View]
I'm not sure who gored *your* ox, but if you want to rail incoherently against imaginary free software zealotry then carry on.
I only ask that if you're going to directly quote me, then at least get the words correct. I was speculating about the combination of the mooted open source security advantages with "commercial, professional development" (as recommended by the original author) since the two concepts are clearly not mutually exclusive.
Substituting 'closed' for 'commercial' makes the quote as confused as the rest of your response is on the distinction between the two concepts.
In the meantime, plenty of commercial and governmental organizations are still concerned that open source software is usually less secure than proprietary software. They are worried that open source developers are too much "hacker" and too little "engineer," cobbling together solutions without going through a structured software engineering process (such as requirements, specification, and analysis).
My experience with commercial software development, in-house development, and contributing to open-source projects is the opposite of this. Open Source projects tends to have a more formal and complete software engineering than most commercial projects.
They need to have, because if not they cannot manage a large and disperse developer community. But closed, proprietary software projects, may not have, simply because you'll never know if they really do what they say.
Most software houses I've worked for doesn't even have basic things like version control and configuration managenent in-place. Having the feature on the "enterprise ide" they brought is not the same as using them. Most of Them use CASE tools to reverse engineer the code (after it is "done") so the customer get the fine UML documentation for the system which is very different from doing requirements, specification, and analysis.
Telling open source projects in general are too much "hacker" is just echoing FUD. That's not the way most well known (and not so well known) FSOSS projects are actually done.
So, if you compare "comercial" software versus FSOSS (which is already a mistake, the distintion should be proprietary x FOSS as there are lots of comercial open source software) on a software engineering process and quality control standpoint, most of the time FSOSS proves stronger.
It's funny when I do consulting on companies willing to adopt FSOSS development tools I spend most of the time teaching about sound software engineering practices (like formal unit testing) than about FSOSS philosophy or the tools per se.
The author also seems to ignore the level to which "comercial" software packages today depends on FSOSS software, like IBM and Oracle app servers using Apache or Java IS using jakarta-commons. They wouldn't to this if they were not properly engineered.