RE: Why open source software is more secure

["Hayes, Ian" <ihayes () nvcancer org>]

> -----Original Message-----
> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
> On Behalf Of David Harley
> Sent: Thursday, May 08, 2008 8:36 AM
> To: security-basics () securityfocus com
> Subject: RE: Why open source software is more secure
>
> > The main goal of a software vendor is not to bring you a
> > _good_ product, but to sell it you. That is the only truth
> > about that.
>
> And I thought I was cynical... I'm not saying that there aren't poor
> products, but there are companies who see making a quality product as
a
> sales asset, and making a living out of selling a product doesn't mean
you
> can't believe in and be passionate about improving that product.

Companies that make bad products usually get weeded out in our market
system. I say usually. Someone's going to take umbrage and argue the
point that some companies put out bad products and still survive
somehow. I'm aware of this.
 
> > That's why the product might be fully featured,
> > nicely decorated and published on time: the vendor is
> > economically motivated to make it this way. But there's no
> > sense to make it secure and stable because the only motive
> > for this is liability which does not exist software industry.
>
> This is exactly the wrong way round. Selling a product usually
establishes
> a contractual liability. Open source software is unsuitable in many 
> contexts precisely because of the difficulty of establishing liability
in
> the event of a problem.
>
> I'm not saying that good (excellent, even) open source software
doesn't
> exist: I use some myself. But there is also stuff around that couldn't
> survive commercially because of its limitations and/or lack of
support.

Exactly. When we were looking for a Electronic Medical Records system
(EMR), the idea of open source didn't even come across the table. The
Veteran's Administration has a lovely open-source EMR called VistA, but
if something breaks, we need to be able to pick up a phone, call someone
and get it fixed. Our Board and upper-level execs aren't comfortable
with the idea that something so critical doesn't have some kind of 24/7
professional support. There is certainly an amount of apprehension in
upper management in a lot of organizations about something you get for
free.

That's not to say that I don't use open source software here, but I'm
not going to use it for something so critical without some kind of
support system.

I've evaluated other open source projects that offer some kind of
professional support and services contract. Some of them just don't make
the cut versus commercial software. Even if commercial software costs
twice or three times the cost of buying a support for a FOSS product, I
can't recommend going open source if the software is no good or doesn't
compare favorably. Some FOSS products don't scale well in enterprise
environments. I'm not saying they never will, just not right now.

--
Ian Hayes
Systems Engineer
Nevada Cancer Institute
Office:(702) 822-5156
email: ihayes () nvcancer org
http://www.nevadacancerinstitute.org


--------------------------------------------------------------------------
CONFIDENTIALITY NOTICE: This e-mail message, including any
attachments, is for the sole use of the intended 
recipient(s) and may contain confidential, proprietary, 
and/or privileged information protected by law. If you are 
not the intended recipient, you may not use, copy, or 
distribute this e-mail message or its attachments. If you 
believe you have received this e-mail message in error, 
please contact the sender by reply e-mail and destroy all 
copies of the original message