Openness breeds trust -- and more secure software.
That's the message from the man known as the "father of Java," James Gosling. He's still at Sun Microsystems working on software development tools and aligning the strategies for the language and platform he created more than a decade ago.
Silicon.com recently caught up with Gosling to discuss Sun's decision to release Java under the GPL (General Public License), whether open source is more secure than proprietary software, how IT departments can cut development costs, and why Microsoft still owns the desktop.
Q: Sun has come to embrace open source. Why did you take that open approach with Java?
Gosling: With Java it was a couple of things. One is to get people to use it in the largest number of places, to get people to do ports to platforms and various things.
One of the biggest reasons for me has been that we then get a lot more collaboration with the community -- people doing everything from bug fixes to security audits. One of the reasons Java has such a great security story is that we've had lots and lots of people stare at the source code.
We do an immense amount of testing and design work, but none of that is anywhere near as good as having thousands of talented eyeballs just stare at it and think about it.
But it's only recently -- last November -- that Sun announced it'll release Java under the GPL, a standard open-source licence.
Gosling: For the longest time, all of the source code for Java has been available to everyone. And until recently it came with a license that said: "The source is open but you can't redistribute the results of any of your changes without passing the test suite."
We got a lot of flak from the open-source community about that. We got to the point where it was clear that the market pressures were strong enough around testing and interoperability and reliability that the clause in the license was not hugely useful. So we switched to using the GPL license.
"The number one biggest threat to enterprises is the inherent fallibility and laziness of humans"
When will the switch to the GPL happen?
Gosling: We're still in the process of implementing it. We expect the process to be pretty much complete by May.
Do you believe that an open-source development model is inherently better for security?
Gosling: Oh yeah. Because it's the only way that you can come to trust a piece of software. Security is a very different kind of thing to test because in security you're not trying to test that the thing you built works. You have to do that but you have to figure out -- are there any cracks? Are there any flaws at the design level? And there aren't automated testing techniques (for that). There's nothing that replaces somebody putting on a black hat and saying, "OK, I'm gonna try to break you." And then they do.
Ten years ago people were breaking into Java now and then, but always in a spirit of co-operation. We had a number of people find chinks in the armor which we fixed almost immediately. There's not been a single incident of actual loss due to a security issue. There is no Java antivirus software because it's not necessary. We've had 12 years of intense scrutiny by experts all over the world.
It can be hard for people who design -- whether it's a language or software or a platform -- to anticipate all the different angles for someone trying to break into it.
Gosling: Exactly. So when you build tests, the tests are inherently limited by what you think they're going to do to break in. You can build tests to make sure any of the break-in techniques you know of are stopped. And you can sit around scratching your head thinking of new ways to break into things. But you're not going to be anywhere near as creative as thousands of grad students out there adding a chapter to their Ph.D. thesis.
Do you think we'll see more use of open source in the enterprise as time goes on?
Gosling: Yeah. It's sort of gotten to the point where it's hard to imagine people using more because so much already is (used) -- everything from open-source operating systems to databases to programming languages to development tools. It's getting to the point where there's not much left. There are some areas like large-scale databases and ERP (where) there aren't any really serious open-source ERP (enterprise resource planning) solutions. They're getting there.
What do you see as the biggest security threat to enterprises?
Gosling: The No. 1 biggest threat to enterprises is the inherent fallibility and laziness of humans. We can make the software as solid as we can, but if someone says the root password of the machine is "nothing," anyone can walk in and (log onto the machine).
It's amazing how many people will do something like that because it makes their life easier. The world is filled with IT operations where the staff has gotten annoyed with all the security so they just turn it off.
Or they'll do really dumb things like put a copy of their entire customer database on their laptop hard drive and then go on vacation and lose the laptop.
6%
2%
