Perhaps there is a place for a "trusted third party" who can audit the source and issue some sort of assurance that the vendor could then attach. Of course, this suffers from a number of problems. Such as cost. The need to get a new certification after every change (or perhaps "level set" or "release"). Finding said "trusted third party". Trust is difficult to come by today. IMO, if I don't generally trust the vendor, or at least their intentions, then I guess I shouldn't get their software (my attitude towards MS and even Apple any more). Not that it's my call for Enterprise Software. Here, it is more about hard money cost.
On Wed, Jun 19, 2013 at 8:08 AM, Phil Smith <[email protected]> wrote: > This is an interesting dilemma. FWIW, in almost 30 years as a vendor, I've > never had anyone ask to see source code for security reasons. That doesn't > mean it won't happen tomorrow, of course. > > I suspect that the general attitude is a synthesis of the comments here: > > - Vendors are assumed to have competent people (yeah, yeah, let's > not go there!) > > - Customers don't necessarily think they would be able to grok in > fullness and spot any weaknesses > > - Customers are used to not seeing source code (and yes, that's a > whole 'nother discussion) > > - Customers auditing it could shift some of the responsibility to > them > > Basically, while a lot of techies have probably thought of asking to do > so, they or their management have seen it as a rat-hole down which they > dare not go. Again, this is my guess based on *MY* experience, YMMV etc. > > ...phsiii > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- This is a test of the Emergency Broadcast System. If this had been an actual emergency, do you really think we'd stick around to tell you? Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
