The Cybersecurity Canon: The Cathedral & the Bazaar

Oct 04, 2017
5 minutes


We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Executive Summary.

While not purely a security book, The Cathedral & the Bazaar, and the ideas behind it, were a catalyst for the open source movement. Originally delivered as a speech to the 1997 Linux Kongress in Germany, this pivotal piece changed how we, as an industry, look at software development. It was the impetus for traditionally closed source companies to start open source projects and lead to the start of the Mozilla project. While the original speech should be required reading for how it shaped the industry, the book is more than you really need to read.


Though the revised text of the 1997 speech is the meat of The Cathedral & the Bazaar, the author includes additional commentary on tangential areas to make it into a book format: part observation (the best hacks start out as personal solutions to problems), part helpful advice (your last duty as a project owner is to hand it off when you lose interest), and part chronicle of hacker norms (be humble, don’t hold bugs against the author).

The text is somewhat technical, though you can skip over the especially technical sections without losing much of the value of the book. The essence is his nineteen lessons for good open source development:

  1. Every good work of software starts by scratching a developer's personal itch.
  2. Good programmers know what to write. Great ones know what to rewrite (and reuse).
  3. Plan to throw one [version] away; you will, anyhow.
  4. If you have the right attitude, interesting problems will find you.
  5. When you lose interest in a program, your last duty to it is to hand it off to a competent successor.
  6. Treating your users as co-developers is your least-hassle route to rapid code improvement and effective debugging.
  7. Release early. Release often. And listen to your customers.
  8. Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.
  9. Smart data structures and dumb code works a lot better than the other way around.
  10. If you treat your beta-testers as if they're your most valuable resource, they will respond by becoming your most valuable resource.
  11. The next best thing to having good ideas is recognizing good ideas from your users. Sometimes the latter is better.
  12. Often, the most striking and innovative solutions come from realizing that your concept of the problem was wrong.
  13. Perfection (in design) is achieved not when there is nothing more to add, but rather when there is nothing more to take away.
  14. Any tool should be useful in the expected way, but a truly great tool lends itself to uses you never expected.
  15. When writing gateway software of any kind, take pains to disturb the data stream as little as possible—and never throw away information unless the recipient forces you to!
  16. When your language is nowhere near Turing-complete, syntactic sugar can be your friend.
  17. A security system is only as secure as its secret. Beware of pseudo-secrets.
  18. To solve an interesting problem, start by finding a problem that is interesting to you.
  19. Provided the development coordinator has a communications medium at least as good as the Internet, and knows how to lead without coercion, many heads are inevitably better than one.

There are some very strong feelings on open source development in our industry. With true believers on either side of the debate, discussions often take a religious bent. This book is no different, and there is no confusion about which side the author is on. Still, there is some valuable analysis, if you are able to get through the philosophical discussions on how software is best created. In the author’s viewpoint, the two criteria that determine whether open source should be the development solution are:

  1. If reliability and stability/scalability are critical.
  2. If correctness of design and implementation is not readily verified by means other than independent review.

Regardless of your feelings on open source and commercial software, this speech was a key historical moment that was arguably the genesis of many security community open source projects.


While The Cathedral & the Bazaar is a historical piece that has shaped the industry, the book adds a lot of tangential commentary that wasn’t of as much value. While you should definitely read the text of the 1997 Linux Kongress speech online, you can skip the book.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.