Ingres gives Fortify security study a good fisking

Ingres gives Fortify security study a good fisking

Summary: Open source projects in Fortify's Open Review report fewer defects per thousand lines of code than proprietary products in the same review.

SHARE:

Emma McGrattan, Ingres senior vp and Eclipse board candidate for 2008Since Fortify released its security study, unleashing the FUD flood, I have been waiting for someone to give it a good fisking.

Today we have a winner. Meet Emma McGrattan, senior vice president of engineering for Ingres, an open source database outfit.

McGrattan is no dirty hippie blogger. She is a candidate for the board of Eclipse, from which the photo was taken. And she's a graduate of Dublin City University in Ireland, for my money the real fighting Irish.

Her main points:

  1. There are other security toolkits other than Fortify. Just because you don't use their system doesn't mean you don't care.
  2. When reading vendor-sponsored studies consider the source. Always a wise move.
  3. Open source projects in Fortify's Open Review report fewer defects per thousand lines of code than proprietary products in the same review. I didn't know that.

Many of Fortify's recommendations are cheap and easy to implement, McGrattan notes, and all projects should do more to protect their users.

Like post a security-specific e-mail alias on your Web site and have an expert on standby for questions concerning attacks.

Being transparent about your own vulnerabilities is also a good thing. Ingres is. Transparency does a lot more for everyone's security than opacity. That's just my personal bottom line.

One more point. Fortify's study chose 11 open source projects to research. Ingres was not one of them.

Topics: Software, Data Centers, Data Management, Enterprise Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion