More FOSS security scare-mongering

Summary:With all the talk of open source and the Obama administration, it shouldn't come as any surprise that the scare-mongering around FOSS security is going to be close behind -- and here's part of the first wave, fresh from Ernest M. Park.

With all the talk of open source and the Obama administration, it shouldn't come as any surprise that the scare-mongering around FOSS security is going to be close behind -- and here's part of the first wave, fresh from Ernest M. Park.

Park is using a single data point (the Debian SSL issue from last Spring) to try to build uncertainty around the readiness of FOSS for government work, even though he admits proprietary software may be no more secure than FOSS. Here's what Park has to say:

Now one of the arguments for open source is that their are more eyes looking over the code, since the code is openly available to be reviewed and changed by the community. This is true and one of the reasons that this bug was discovered. The open source system of discovering bugs is beneficial in that the number of people reviewing the code is far greater than proprietary software. But as the Debian OpenSSL case shows us, it might take up to two years before it is discovered or at least published. Within the past two years, this bug may have already been discovered and not published, with the finder exploiting the bug for all that time. The problem with community review is that it is a voluntary choice and not an obligation.

The problem with Park's argument is this: Access to code is not necessary for discovery of vulnerabilities. Plenty of security holes are discovered in proprietary products without the results being published. Plenty of security holes have existed in proprietary products and been exploited long before the fix was available.

If Park wants to raise concerns about software security, he might start by asking if Microsoft is ready for government work.

Topics: Security, Government, Government : US, Open Source

About

Joe 'Zonker' Brockmeier is the community manager for openSUSE, a community Linux distro sponsored by Novell. Prior to joining Novell, Brockmeier worked as a technology journalist primarily covering the Linux and FOSS beat, and wrote for a number of publications, such as Linux Magazine, Linux.com, Sys Admin, UnixReview.com, IBM developer... Full Bio

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.