Fortify sets off FUD flood
I was impressed by the work Fortify did in raising concerns about the security process among open source application developers.
But did it really call for a FUD (Fear, Uncertainty, Doubt) flood, questioning the whole premise of open source? (I misidentified CTO Roger Thornton in my original story, so here is his picture.)
Just look at these headlines:
- Open source 'lacks enterprise-grade security'
- Open source, open to attack
- Open source software a security risk
- Manufacturers are putting themselves at risk using open source software
- What open source could learn from Microsoft
- Study says open source software a security risk
Et tu, Slashdot?
The Fortify story was a warning, aimed at application developers, about process, and about the dangers of ignoring sound security processes in developing applications, because bad guys are now targeting them.
The Fortify study did not say enterprises must avoid open source because all open source is a security risk. But that's how lazy reporters played it.
Fortify is a security company, which aims to use its study to sell its services. Nothing wrong with that. But it does mean we have one data point from a vendor with an axe to grind. Throwing the whole movement under the bus over this is silly.
I was concerned this might happen, which is why I emphasized the warning nature of the study, in both my story and my comments. It's a serious issue meant to be taken seriously.
But dumping open source over application security concerns is a false economy, and lazy reporters who advocate it are committing journalistic malpractice.