On The Insider: Criminal Past of Woods Mistress Revealed
BNET Business Network:
BNET
TechRepublic
ZDNet
TalkBack 59 of 59:
« Previous
RE: The biggest threat to open source in 2009
Hi Dana,

I believe that you point out symptom, but didn't see the problem. Security management in FOSS is an issue, but automated patch distribution is not a fix. To your direct points, the large closed source vendors use automated update mechanisms, but their success in resolving published security issues is not an example that I would hold up to scrutiny.

I recently spoke with Jay Lyman of 451 Group - https://fossbazaar.org/content/open-source-insecurity, and pointed out that . . .

1. Reported vulnerabilities does not directly equate insecurity, just communication

2. FOSS and closed source are basically equal in issues reported by app type (DB, browser, etc)

3. Closed source may have automated distribution methods, but their support contracts and legal requirements sometimes force them to delay distribution of a patch for weeks and months. FOSS has a good track record of getting the patches out fast.

The significance to FOSs and security in the enterprise is -
1. It is already in use by all (some may just be admitting it now)
2. FOSS has no central vendor. Enterprise uses support providers in place of vendors to deal with issues.
3. There is no uniform way for the community to test, validate and report on issues in a trusted and transparent way.

Enterprise managers have no interest in saying no to FOSS, regardless of a lack of integration with Windows SUS. Enterprises run operating systems and applications from vendors other than Microsoft. They are accustomed to managing software risk for platforms that have never offered an auto-update feature. Enterprises also have practical fear of patches that can free ride their way into a network because of a foolish trust setting (anything from MSFT must be good - go ahead and update).


FOSS for enterprises offers protection from vendor lock-in and price competitiveness. It allows multiple vendors to quote on the delivery of the same solution, further allowing expertise to be purchased at competitive rates.

The secret to security is NOT auto-update. There is something to be said for a diligent patch management process, but the biggest problem behind managing patches is actually knowing all those things that you are managing patches for, and delegating time to apply patches and make sure that something else didn't break as a result.

The secret to security is active responsibility for the process of managing FOSS. Just because a license wasn't paid for does not mean it is free, or comes without a management responsibility. WIthout a central vendor, the responsibility falls on the enterprise to establish risk management rules and test procedures to actively and diligently maintain the open source repository.

While vendors offer support around FOSS, users need to be aware of the additional responsibility taken on when using FOSS. It is the enterprise user that needs to define and police the rules around the management processes around FOSS.

In summary, FOSS security has more to do with strict definition and enforcement of management and audit policies, patch procedures and agressive testing. Auto-update is sort of sticking your head in the sand and hoping the problem goes away.


For a more current discussion of enterprise issues in FOSS security, take a look at

http://blogs.the451group.com/opensource/2009/02/10/open-source-security-debated/

https://fossbazaar.org/content/open-source-insecurity

http://gpl3.blogspot.com


Posted by: ernestpark   Posted on: 02/13/09  (Edited: 02/13/2009 @ 02:16) You are currently: a Guest | Members login | Terms of Use
Reply to Story Reply to Message

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

Automatic updates.  Bilmekanikeren | 01/01/09
Most aren't used  DanaBlankenhorn ZDNet Moderator | 01/01/09
We Fix it  tracy anne | 01/01/09
Have you just received $100,000 dollars into your bank Dana?  Amelioration | 01/01/09
Heh. This *does* look like a placed piece.  masonwheeler | 01/05/09
aren't used?  cabdriverjim | 01/02/09
Most aren't used? Firefox pushes  Greenknight_z | 01/06/09
Patently false  jeverettk | 02/04/09
Ok -- lets audit some text ..... shall we..  boredsillyinedu | 01/01/09
RE: The biggest threat to open source in 2009  boredsillyinedu | 01/01/09
Most aren't used like, Redhat updates?  n0neXn0ne | 01/01/09
If I didn't know you better  Ole Man | 01/01/09
Dana is fishing for Marlin today. You know him; I know him;  no_zd_user_name | 01/02/09
RE: The biggest threat to open source in 2009  V@... | 01/01/09
were you born stupid, or do you work at it?  Anonymous Benefactor | 01/01/09
the poor guy is going to blame health care now for his stupidity  code_Warrior | 01/01/09
RE: The biggest threat to open source in 2009  mr4thjuly | 01/01/09
RE: The biggest threat to open source in 2009  tracy anne | 01/01/09
Are you talking about Open Source programs on Windows?  TripleII | 01/01/09
RE: The biggest threat to open source in 2009  theironlion | 01/01/09
RE: The biggest threat to open source in 2009  TonyMY | 01/01/09
RE: The biggest threat to open source in 2009  rikasa | 01/01/09
Dana is referring only to Enterprise level ???? I don't think so.  TonyOz | 01/02/09
@TonyOz  rikasa | 01/02/09
Well answered rikasa  TonyOz | 01/02/09
happy  rikasa | 01/02/09
For RH this is one  markdean | 01/02/09
Mandriva Corporate Server uses urpmi --parallel.  tracy anne | 01/02/09
Which proves how easy...  KimTjik | 01/02/09
It's never stated  tracy anne | 01/02/09
Thanks  rikasa | 01/02/09
Trivially Simple.  TripleII | 01/02/09
Dana you're absolutely right!  Amelioration | 01/01/09
BullS#%!  vmaatta | 01/02/09
Dana are you hung over ?  Alan Smithie | 01/02/09
RE: The biggest threat to open source in 2009  earthy | 01/02/09
RE: The biggest threat to open source in 2009  markdean | 01/02/09
RE: The biggest threat to open source in 2009  jester41@... | 01/02/09
Red Hat subscriptions...  Henrik Moller | 01/02/09
I think what Dana means to say...  cabdriverjim | 01/02/09
Why do I feel like...  cabdriverjim | 01/02/09
$100,000 divvied up between us. Ah, that would be nice. wink (nt)  V@... | 01/02/09
RE: The biggest threat to open source in 2009  rnojonson@... | 01/02/09
Dana, What tha...  hamobu | 01/02/09
This article is *so* wrong it has to be flamebait  jhoderd | 01/02/09
ZDNet has lost all credibility.  goban22 | 01/02/09
Dana, Dana, DANA!  teddybairs1 | 01/03/09
RE: The biggest threat to open source in 2009  scouser73 | 01/03/09
Uninformed FUD or blatant lie?  Slated | 01/03/09
ZDNet...do you check your bloggers credentials?  storm14k | 01/03/09
RE: The biggest threat to open source in 2009  Open means Good | 01/03/09
Time to re-title the story.  TripleII | 01/03/09
RE: The biggest threat to open source in 2009  triclone | 01/04/09
Not too big of deal IMO  NegativeElectrons | 01/05/09
RE: The biggest threat to open source in 2009  Bilmekanikeren | 01/05/09
RE: The biggest threat to open source in 2009  shadfurman | 01/05/09
Large Open Source update services exist  robsku | 01/08/09
Name three, please.  paron | 01/09/09
RE: The biggest threat to open source in 2009  ernestpark | 02/13/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
advertisement

SmartPlanet

Click Here