Hi,
http://www.networkworld.com/news/2008/072108-open-source-security-risk.h
tml - and another take on the same article:
http://news.zdnet.com/2100-3513_22-123151.html the first paragraph
reads, "Open source software is a significant security risk for
corporations that use it because in many cases, the open source
community fails to adhere to minimal security best practices, according
a study released Monday."
Just to add a couple of cents...
I can see your point about security with the industry you work in,
but if you look at the two articles you mention there are a few things
you might want to take with a pinch of salt and read around further:
The network world article highlights a survey done into 11 OS
software packages, but they were all Java based and although I am not an
OS / Java guru, I only recognise 2 of these. I think a survey done into
some of the larger widely used OS packages - e.g. some operating
systems, web-servers, databases, etc. would have been more beneficial.
It would also be interesting to see a comparison between similar closed
and open source systems that provided statistics such as the number of
bugs / vulnerabilities found, time to fix bugs, number of lines of code,
etc. - metrics. My guess is that whether it's closed or open source,
everyone will be frantically trying to fix the latest vulnerability and
if my Windows update shield is anything to go by, it's not just OS
that's affected...
The zdnet article cites a paper written by ADTI, who are described
in the article as a "conservative" organisation and are also cited for
often criticising OS software and are believed to be in bed with all the
major business - speculation possibly, but it's worth reading between
the lines and don't believe slashdot over wikipedia over zdnet...
http://en.wikipedia.org/wiki/Alexis_de_Tocqueville_Institution
http://linux.slashdot.org/linux/05/03/25/238257.shtml?tid=166&tid=106
I guess the upshot is - software for any organisation needs to be
evaluated effectively. This can get more frustrating with larger
organisations because like you mentioned, it is a PITA to get a new
piece of software approved. But with open source, the code is up for
review, so I think it has an advantage there...
At the end of the day, because it's open or closed, does not mean I
trust it any more, but at least with open source, I know I can have a
look at the stuff inside and probably fine tune it a lot more than
closed and I think that's the attitude IT departments need to embrace a
bit more - check the software out properly. If departments did this,
then maybe there would be a few more jobs going and possibly a little
less money lost due to the wrong choices being made, but I am being
optimistic here :)
I do agree with the comment at the end of the zdnet article and I
would sincerely hope that agencies responsible for my safety are making
informed decisions about the software that "protects" us. However after
recent events in the financial and government sectors in UK & US, I am
more concerned about the human capabilities, decision making and
morality of many organisations who are trusted with our information,
safety and money than the software running these places. Most of the
problems I have read about recently have seem to come about because of
human error/incompetence rather than software bugs / security
vulnerabilities...
And yes decent customer support is hard to find, but that's not just
restricted to OS software :)
Cordially.
Glen
--
Glen Pike
01326 218440
www.glenpike.co.uk <http://www.glenpike.co.uk>
_______________________________________________
Flashcoders mailing list
[email protected]
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
