Companies Turn Blind Eye to Open Source Security Risks

DooKey

DooKey

[H]F Junkie
Joined
Apr 25, 2001
Messages
13,143
According to Jack Germain, at LinuxInsider, a company called Flexera released very interesting survey results about companies and their use of open source software. Some of the things that jumped out at me were how many companies don't contribute to open source projects and how many don't have anyone responsible for open source compliance, or they did not know who was. It really makes me wonder how secure their software really is.

Companies are not mindful of open source components and fail to monitor security implications, according to the report, which highlights the consequences of failure to establish open source acquisition and usage policies, and to follow best practices.
 
It used to be nobody wanted to use anything NDH (not developed here) due to issues of importing code of unknown quality and they'd reinvent the wheel (often making the wheel worse in the process). Now it's been discovered if you use an open source component you not only get praise for doing less work, when things go wrong you can just point and say #NOTMYCODE and pretend like it's not your fault. Win win.
 
tazeat said:
It used to be nobody wanted to use anything NDH (not developed here) due to issues of importing code of unknown quality and they'd reinvent the wheel (often making the wheel worse in the process). Now it's been discovered if you use an open source component you not only get praise for doing less work, when things go wrong you can just point and say #NOTMYCODE and pretend like it's not your fault. Win win.
Click to expand...


On the flipside when stuff breaks you aren't beholden to a proprietary close solution that can only be fixed by the company that created it.

The takeaway here is there are ignorant companies that don't want to pay for a supported solution, or shoulder the responsibility of maintaining an open source one.
 
People need to lose the mindset that Open Source = More Secure. Just because anyone can inspect the code for flaws, doesn't mean that someone actually is. "Oh, there shouldn't be any big security flaws, because if there were, someone would have seen it and patched it by now." Then you get heartbleed and shellshock.

The lesson? Never assume. Especially if your entire business is relying on the security of your software *cough* Equifax *cough*.

Now, before the Richard Stallman disciples start jumping all over me - I am not saying that Open Source can't be more secure, just that it is not inherently more secure. It is only as secure as the people actively looking for security flaws in the code.
 
You must log in or register to reply here.
Back
Top