Management
Technology
- Applications
- Business Intelligence
- Development
- Hardware
- Mobile & Wireless
- Networking
- Internet
- Operating Systems
- Security Products
- Servers & Datacentre
- Storage
Toolbox
Training
Books
White Papers
Webcast
Resource Centre
Fortify jumps on the Meta open source bandwagon
February 05, 2009
Posted by: Glyn Moody
I've already noted my scepticism with regard to the Tories' pledge to go open. Although I applaud a move away from an increasingly closed, authoritarian UK government, my feelings are that it's a case of jumping on the trendy bandwagon of openness.
OK, so riding the waves is what politicians do. But they're not the only culprits: companies do it too. Here's a particular fine example, because it's not so much jumping on the bandwagon, as jumping on somebody jumping on the bandwagon:
Fortify Software, the software security assurance specialist, says that the Conservative party is misguided in its criticism of the UK government over its lack of support for open source software.
"The Conservatives have accused the Government of failing to capitalise on open source software, despite reports from government agencies that have recommended its usage," said Richard Kirk, Fortify’s VP and GM of Europe.
"Our own research, however, has concluded that open source software exposes users to significant and unnecessary business risk, as the security is often overlooked, making users more vulnerable to security breaches.
"That's not to say that commercial software isn't without risks, but any flaws on commercial applications tend to get patched a lot faster than on open source, as the vendors producing the software have a lot more to lose than an open source programmer," he added.
Oh really, and what would this in-depth research be, pray?
According to Kirk, Fortify's sponsored report, released last summer, looked at 11 of the most common Java open source packages, scanning them using Fortify SCA, the static analyser seen in its security suite, Fortify 360.
Oh right, so this isn't some deep new research, but rather a warmed-over report from last summer.
And remind me again, what does it survey exactly? Why: "11 of the most common Java open source packages".
And that relates to the Tories' proposal precisely how? Were they suggesting that the entire UK government IT infrastructure be built using open source Java packages? I think not.
Were they, rather, suggesting it might be useful to take a look at stuff like, you know, GNU/Linux, Apache, MySQL? That was more the impression I got. And is this covered in the slightest by the Fortify Software report? No, I thought not.
In other words, the current press release is extrapolating from some old research on 11 Java packages to the entire open source ecosystem.
Jump to page : [ 1 ] [ 2 ]
Follow highlights from ComputerworldUK on Twitter
Sign up for our Daily Newsletter
The UK IT News widget Get it for your site!
<<newer entry | back to blogs index | older entry>>
Advert
Email this article to a friend or colleague:
PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.
- This article is now being printed.
What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.
Click below to add 'Fortify jumps on the Meta open source bandwagon' to your blog.
If you do not have a ComputerworldUK Account and would like to use this feature, please Register.
If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.
Advert
Newsletters
Our Daily & Weekly Newsletters highlight breaking news, vital issues, expert analysis and solutions to help you stay ahead of developments in the industry.
WHITE PAPERS
-
Legal risks: Employee use of the internet and email
Exploring the challenges facing IT Mangers today and vital steps to ensure safe internet an email use by employees. -
Phishing for victims
This White Paper examines the phenomenon of phishing. It explains the potentially catastrophic threat it presents to all kinds of organisation. Exploding some widespread myths, it lights up the murky waters where phishing first emerged and where it continues to evolve. But it also highlights what your business can do to blunt the threat.
About the author
Glyn Moody Glyn Moody's look at all levels of the enterprise open source stack. The blog will look at the organisations that are embracing open source, old and new alike (start-ups welcome), and the communities of users and developers that have formed around them (or not, as the case may be).
Comments received
Tor Arne Pedersen said on Thursday, 05 February 2009
Thank you for this blogpost. A real comparison of how long discovered vulnerabilities remain unpatched from vendor would be interesting. I have been looking for this information.
Yvonne Eskenzi said on Friday, 06 February 2009
In Fortify's release they were trying to make the point that Open Source, although incredibly beneficial in the most part, does have a number of security flaws as does most commercial software. Therefore, it is only right that the Government who is supposed to have our best interests at heart, should be investing in software that is 100% secure - something that OS isn't - which is what Fortify's report showed.
Glyn Moody said on Friday, 06 February 2009
@Yvonne: no software methodology produces code that is 100% secure. It is not possible to choose to go with free or non-free software on that basis. The key difference between them is a matter of the control that it gives the user (crucially important for governments) and, to a lesser extent, possible savings in TCO.
Moreover, Fortify used specific info about open source Java apps to make a sweeping statement about OSS in general that was hardly justified.
Ryan Berg said on Monday, 09 February 2009
Security of software is not somehow magically related to whether it was close-source, open-source, or out-source. It is directly related to the process put in place to design, develop, deploy, and maintain. Making sure that security is considered throughout. Open source projects are certainly no better or worse (in general) to any other kind of application in this. If the process breaks down anywhere along that axis it doesn’t matter who developed the code there, will be risks involved. There are advantages and disadvantages to all kinds of applications but that really depends on the maturity of the application, development company etc. Making a generalized statement about lack of security in open source code is faulty and places blame in the wrong direction.