Fortify sets off FUD flood

The Fortify study did not say enterprises must avoid open source because all open source is a security risk. But that's how lazy reporters played it.

Roger Thornton, CTO, Fortify
I was impressed by the work Fortify did in raising concerns about the security process among open source application developers.

But did it really call for a FUD (Fear, Uncertainty, Doubt) flood, questioning the whole premise of open source? (I misidentified CTO Roger Thornton in my original story, so here is his picture.)

Just look at these headlines:

Et tu, Slashdot?

The Fortify story was a warning, aimed at application developers, about process, and about the dangers of ignoring sound security processes in developing applications, because bad guys are now targeting them.

The Fortify study did not say enterprises must avoid open source because all open source is a security risk. But that's how lazy reporters played it.

Fortify is a security company, which aims to use its study to sell its services. Nothing wrong with that. But it does mean we have one data point from a vendor with an axe to grind. Throwing the whole movement under the bus over this is silly.

I was concerned this might happen, which is why I emphasized the warning nature of the study, in both my story and my comments. It's a serious issue meant to be taken seriously.

But dumping open source over application security concerns is a false economy, and lazy reporters who advocate it are committing journalistic malpractice.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All