Re: Understanding the security implications of SAKAI?

[Theresa M Rowe <rowe () OAKLAND EDU>]

Actually, I think about open source quite differently than I
do vendor source in these areas.

How do I, as a consumer, know that there are no "hidden
lines" of code that could disrupt privacy or gather
unauthorized information?

When I worked in software development for the automotive
industry some years ago, independent auditing firms were
hired to review program code to check for unauthorized code,
invalid formulas in business decisions, or
other "untrustworthy" modules.

Our university is no longer staffed to do that sort of
auditing, nor could we afford an independent auditor.  We
write those kinds of checks into our software contract.

We do use some open source, but we are very selective about
where we use it.  The closer it gets to official counts or
monies, the more uncomfortable I am without audit controls
at the code level.

Theresa Rowe
Oakland University

> The biggest potential issues are shared by both open-source
and proprietary
> systems.  At a high level:
>        - Is the design OK?
>                - Is there an authentication model and
mechanism?
>                - Is there a good authorization model?
>                - What are the administrative processes,
and do they function well?
>                  Are administrative functions assigned and
delegated to those
>                  with an interest (and the time) to make
the right things happen?
>        - Is the implementation (by the developers) OK?
>        - Is the implementation (by the deployers) OK?
>        - Are whole new social issues created or exposed by
the use of the system?
>        x
>        - Is configuration prone to certain pitfalls?
>        - Is installation of the underlying web app
environment prone to certain pitfalls?
>        - In the heat of the moment, are insecure
mechanisms chosen by developers or deployers?
> The biggest risk is assuming that the platform or vendor
has figured
> this out for you, so you don't have to look hard yourself.
Any powerful
> general-purpose platform offers plenty of potential for bad
implementation
> decisions even if the platform itself is perfect.  Both
community and
> local review with sufficient effort is a good idea.
>
> Ideally you'd think about the same issues for this or for,
say, a Blackboard
> implementation.
>
>
> Liudvikas Bukys
> Scientist
> <bukys () cs rochester edu>
>
> **********
> Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.