Is this MS going back to the 90's or being genuinely concerned?
Now obviously, lots of companies use open source tools and incorporate open source libraries in their in-house software because it saves them a load of time and costs. Also obviously, you have to keep an eye out on vulnerabilities coming in that code.
So I read this scare-mongering title on CIO:
Open source code is common, potentially dangerous, in enterprise apps
And I think - wow. Is this another round of FUD, or? Reading the article, I don't think it's wrong per-se. It is just that all the dangers it talks about are double, if not triple true for proprietary libraries and code incorporated in an enterprise application... Those often have worse security policies - no disclosure, for example. Loads of vendors still think "if I just keep this secret, nobody will notice how insecure my software is" and while that's bad for applications, you'll at least update them at some point due to a bug fix release you need. With libraries - well, unless there's a REAL good reason (say a zero-day vulnerability?) you won't update them out of fear of breaking your app... Transparency is thus crucial and it's a core feat of open source.
Of course the article points out that it's not just open source even pointing to Windows XP as part of a 'product' that was problematic (duh!).
Still, the title makes it seem like a big anti-open-source-diatribe and claims: "Problem solved, at least in this instance. But the underlying issue – the routine practice of reusing open source code in new software – remains."
That's an issue!?!??!?
What do you think, is this a new way of making people afraid of open source or just a misguided title and a few stupid statements by the writer?
scottalanmiller last edited by
Sounds like the same FUD as always to me. If it wasn't FUD it would say "reusing code has dangers" and it would maybe say "open source is our best protection, but even that is not a sure thing" rather than suggesting that open source is a point of risk. It's a critical part of risk mitigation.
JaredBusch last edited by
yeah, bunch of crap in that title. After reading your post, I will not even click through.