Companies Turn Blind Eye to Open Source Security Risks

Discussion in 'HardForum Tech News' started by DooKey, Oct 20, 2017.

  1. DooKey

    DooKey [H]ardness Supreme

    Messages:
    8,100
    Joined:
    Apr 25, 2001
    According to Jack Germain, at LinuxInsider, a company called Flexera released very interesting survey results about companies and their use of open source software. Some of the things that jumped out at me were how many companies don't contribute to open source projects and how many don't have anyone responsible for open source compliance, or they did not know who was. It really makes me wonder how secure their software really is.

    Companies are not mindful of open source components and fail to monitor security implications, according to the report, which highlights the consequences of failure to establish open source acquisition and usage policies, and to follow best practices.
     
  2. tazeat

    tazeat [H]ard|Gawd

    Messages:
    1,253
    Joined:
    Jul 3, 2007
    It used to be nobody wanted to use anything NDH (not developed here) due to issues of importing code of unknown quality and they'd reinvent the wheel (often making the wheel worse in the process). Now it's been discovered if you use an open source component you not only get praise for doing less work, when things go wrong you can just point and say #NOTMYCODE and pretend like it's not your fault. Win win.
     
    DocNo and DooKey like this.
  3. Tweak42

    Tweak42 Gawd

    Messages:
    605
    Joined:
    Dec 1, 2010

    On the flipside when stuff breaks you aren't beholden to a proprietary close solution that can only be fixed by the company that created it.

    The takeaway here is there are ignorant companies that don't want to pay for a supported solution, or shoulder the responsibility of maintaining an open source one.
     
    BloodyIron likes this.
  4. jardows

    jardows [H]ard|Gawd

    Messages:
    1,700
    Joined:
    Jun 10, 2015
    People need to lose the mindset that Open Source = More Secure. Just because anyone can inspect the code for flaws, doesn't mean that someone actually is. "Oh, there shouldn't be any big security flaws, because if there were, someone would have seen it and patched it by now." Then you get heartbleed and shellshock.

    The lesson? Never assume. Especially if your entire business is relying on the security of your software *cough* Equifax *cough*.

    Now, before the Richard Stallman disciples start jumping all over me - I am not saying that Open Source can't be more secure, just that it is not inherently more secure. It is only as secure as the people actively looking for security flaws in the code.
     
    renz496, lcpiper and GoldenTiger like this.
  5. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    10,541
    Joined:
    Jul 16, 2008
    I'd buy that for a dollar .........



    And sell it for $69.95 oh yea :LOL: