Ingres gives Fortify security study a good fisking

Open source projects in Fortify's Open Review report fewer defects per thousand lines of code than proprietary products in the same review.

Emma McGrattan, Ingres senior vp and Eclipse board candidate for 2008
Since Fortify released its security study, unleashing the FUD flood, I have been waiting for someone to give it a good fisking.

Today we have a winner. Meet Emma McGrattan, senior vice president of engineering for Ingres, an open source database outfit.

McGrattan is no dirty hippie blogger. She is a candidate for the board of Eclipse, from which the photo was taken. And she's a graduate of Dublin City University in Ireland, for my money the real fighting Irish.

Her main points:

  1. There are other security toolkits other than Fortify. Just because you don't use their system doesn't mean you don't care.
  2. When reading vendor-sponsored studies consider the source. Always a wise move.
  3. Open source projects in Fortify's Open Review report fewer defects per thousand lines of code than proprietary products in the same review. I didn't know that.

Many of Fortify's recommendations are cheap and easy to implement, McGrattan notes, and all projects should do more to protect their users.

Like post a security-specific e-mail alias on your Web site and have an expert on standby for questions concerning attacks.

Being transparent about your own vulnerabilities is also a good thing. Ingres is. Transparency does a lot more for everyone's security than opacity. That's just my personal bottom line.

One more point. Fortify's study chose 11 open source projects to research. Ingres was not one of them.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All