Three month study focuses on 11 open source software packages and each community's response to security issues. The study was carried out by Fortify Software and 11 open source software packages were tested by the community's response to a security risk.
People have the wrong perception of open source: it is free and and will not cost anything. I would claim that this is as true as having free lunches every day at a local Starbucks. There is not such as free software. Even if the software is installed, sooner or later somebody is going to pay for the use of it and I would like to challenge any CIO of this question and scenario:You are happy to take into production a content management system that is completely free and on top of this, there are hundreds of "free" components on the marketplace. You install it, you are very happy to have all of the functionality that you can think of. You are spreading the word to your buddies of the free stuff and then one morning you wake up and get a call that your site has been exploited by hackers. You have scripts in your site that are collecting social security numbers, you have people "taking your role" and people are getting exploited.
But, the site is free, and now you have a problem at your hands. The question is: who do you call? Do you call the CMS vendor or do you call each and every vendor that provides the "free" component. You soon find out that there are NO numbers to call, nobody wants to take the responsiblity, but you have a site that is causing harm. Do you still think it is free?Asssume that you bought the CMS solution from a vendor. The vendor charged for it either on a monthly basis or one time payment. Maybe you even pay this vendor maintenance for situations like this. Now you have somebody to call and somebody that might care about your problem.I think you got the point.
According to CIO.com and the article, this is what they found out:Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 open source software packages examined. But when Fortify tried to reach out to the open-source software communities, with the primary point of contact a Web site and a general e-mail address, the security firm found that "in two-thirds of these cases, you didn't get a response at all," West says. "There are no phone numbers. Who do you go to ask for information? It's kind of hard to tell who these people are." The report itself notes, "Open source packages often claim enterprise-class capabilities but are not adopting—or even considering—industry best practices. Only a few open source development teams are moving in the right direction." The reality is that while open source software may appear more cost-effective and just as functional as commercial software in some instances, the question of maintenance must be examined very carefully. "Who do you reach out to?" "What about the thousands of companies out there running Geronimo? And what about your supply-chain partners?"
The question is very obvious. If you are a CIO, you will really have to think twice before you take a leap of faith into running your business using open source. That is my personal opinion and that is why I run my applications using software from companies that care.
read more digg story
Microsoft's Windows Azure Active Directory plans takes shape
-
This year should be a big one for Microsoft’s Windows Azure Active
Directory cloud service, yet another piece of its hybrid public/private
cloud puzzle.
0 comments:
Post a Comment