Security Basics mailing list archives
RE: Why open source software is more secure
From: "Hayes, Ian" <ihayes () nvcancer org>
Date: Thu, 8 May 2008 09:11:34 -0700
-----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of David Harley Sent: Thursday, May 08, 2008 8:36 AM To: security-basics () securityfocus com Subject: RE: Why open source software is more secureThe main goal of a software vendor is not to bring you a _good_ product, but to sell it you. That is the only truth about that.And I thought I was cynical... I'm not saying that there aren't poor products, but there are companies who see making a quality product as
a
sales asset, and making a living out of selling a product doesn't mean
you
can't believe in and be passionate about improving that product.
Companies that make bad products usually get weeded out in our market system. I say usually. Someone's going to take umbrage and argue the point that some companies put out bad products and still survive somehow. I'm aware of this.
That's why the product might be fully featured, nicely decorated and published on time: the vendor is economically motivated to make it this way. But there's no sense to make it secure and stable because the only motive for this is liability which does not exist software industry.This is exactly the wrong way round. Selling a product usually
establishes
a contractual liability. Open source software is unsuitable in many contexts precisely because of the difficulty of establishing liability
in
the event of a problem. I'm not saying that good (excellent, even) open source software
doesn't
exist: I use some myself. But there is also stuff around that couldn't survive commercially because of its limitations and/or lack of
support. Exactly. When we were looking for a Electronic Medical Records system (EMR), the idea of open source didn't even come across the table. The Veteran's Administration has a lovely open-source EMR called VistA, but if something breaks, we need to be able to pick up a phone, call someone and get it fixed. Our Board and upper-level execs aren't comfortable with the idea that something so critical doesn't have some kind of 24/7 professional support. There is certainly an amount of apprehension in upper management in a lot of organizations about something you get for free. That's not to say that I don't use open source software here, but I'm not going to use it for something so critical without some kind of support system. I've evaluated other open source projects that offer some kind of professional support and services contract. Some of them just don't make the cut versus commercial software. Even if commercial software costs twice or three times the cost of buying a support for a FOSS product, I can't recommend going open source if the software is no good or doesn't compare favorably. Some FOSS products don't scale well in enterprise environments. I'm not saying they never will, just not right now. -- Ian Hayes Systems Engineer Nevada Cancer Institute Office:(702) 822-5156 email: ihayes () nvcancer org http://www.nevadacancerinstitute.org -------------------------------------------------------------------------- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential, proprietary, and/or privileged information protected by law. If you are not the intended recipient, you may not use, copy, or distribute this e-mail message or its attachments. If you believe you have received this e-mail message in error, please contact the sender by reply e-mail and destroy all copies of the original message
Current thread:
- Why open source software is more secure sapran (May 08)
- Re: Why open source software is more secure Ali, Saqib (May 08)
- Re: Why open source software is more secure Chad Perrin (May 08)
- RE: Why open source software is more secure David Harley (May 08)
- RE: Why open source software is more secure Hayes, Ian (May 08)
- Re: Why open source software is more secure Chad Perrin (May 08)
- Re: Why open source software is more secure aliasghar.toraby () gmail com (May 08)
- Re: Why open source software is more secure Adriel Desautels (May 08)
- Re: Why open source software is more secure Ivan . (May 09)
- Re: Why open source software is more secure Alexander Klimov (May 12)
- RE: Why open source software is more secure Robinson, Sonja (May 12)
- RE: Why open source software is more secure Craig Wright (May 13)
- RE: Why open source software is more secure Hayes, Ian (May 13)
- Re: Why open source software is more secure Chad Perrin (May 13)
- RE: Why open source software is more secure Robinson, Sonja (May 12)
- Re: Why open source software is more secure Ali, Saqib (May 08)
- RE: Why open source software is more secure Craig Wright (May 13)