Open source software a security risk?
http://www.networkworld.com/news/2008/072108-open-source-security-risk.html
I would like to see the full report and criteria, but a few things that stood out to me were quote like the following:
"not having a specific e-mail alias for submission of security vulnerabilities. 'You don't want to report bugs to a general mailing list because it would go to the general public,'"
Wasn't transparency a benefit of open source software? The general public is given the source code, the general public is asked to contribute to open source...why would your want to obscure the transparency at this stage? How many bugs have been reported to proprietary software vendors that are basically sat on for years? Does this make it any less vulnerable, or is it an ostrich approach to security where we stick our head in the sand and assume that no one else can see the bugs?
I'm not saying that a dedicated email alias for security issues shouldn't be done. This would definitely benefit the various communities, but I don't think bug reporting should be a closed loop process.
"The reality is that while open source software may appear more cost-effective and just as functional as commercial software in some instances, the question of maintenance must be examined very carefully."
This I will agree with. Who maintains your OpenSource software? Where do you turn when you have issues with it? This sounds more of a perception problem by the user than a flaw in open source. If you do not have the in-house skills to maintain the software, you need to purchase a service contract. That service contract will help support the community that is fixing these bugs...it will also help fund features being implemented that you need.
Maybe the open source community does need to change their modus operandi. Maybe the open source model needs a little update to reflect the fact that they have gone from an underground movement to a major player in the field. I'm not sure...its definitely time to rethink the way the community operates. Hopefully this report will kick off discussions in that are.
