Stories
Slash Boxes
Comments

SoylentNews is people

What's Worse, Open-Source Vulnerabilities, or Poor Enterprise IT Security?

posted by janrinok on Thursday May 17 2018, @08:38PM   Printer-friendly
from the it-wasn't-me dept.

requerdanos writes:

There's a minor media dust-up over which is worse, Open-source vulnerabilities, or Poor Enterprise IT Security?

On Tuesday, 15 May, ZDNet quoted from a Black Duck study and opined that the problem was the "Open-source vulnerabilities", posting an article entitled Open-source vulnerabilities plague enterprise codebase systems.

Vulnerabilities including the bug reportedly responsible for Equifax's data breach are still common elements of open-source systems used in the enterprise... the nature of open-source projects means that as developers are giving away their time for free, sometimes, bugs may escape the net and cause chaos...

Wednesday, May 16th, TechRepublic answered with Enterprise IT shouldn't blame open source for their own poor security practices:

Even if we set aside the fact that Black Duck sells tools and services to root open source out of your enterprise... Open source vulnerabilities will often get disclosed earlier than those in managed software [and] its up to IT to apply the patches.

In other words, open source developers are doing their best to write good software, publish notices when bugs are found, and then fix those bugs. What the open source world cannot do, however, is fix inept IT practices. Despite the headlines, it's not the open source world's problem that so many want to use the software but can't be bothered to apply updates.

Is the problem more one, or the other, or both? Or is it the insistence on calling free software "Open Source," referring to just one freedom of many?

Original Submission

 
This discussion has been archived. No new comments can be posted.
What's Worse, Open-Source Vulnerabilities, or Poor Enterprise IT Security? | Log In/Create an Account | Top | 23 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Insightful) by aristarchus on Thursday May 17 2018, @09:37PM (6 children)

    by aristarchus (2645) on Thursday May 17 2018, @09:37PM (#680901) Journal

    What's worse? False equivalencies, or commercial interest funded journalism?

    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Funny=1, Touché=1, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 0) by Anonymous Coward on Thursday May 17 2018, @09:46PM

    by Anonymous Coward on Thursday May 17 2018, @09:46PM (#680905)

    These days they are one in the same usually. So both?

  • (Score: 1, Informative) by Anonymous Coward on Friday May 18 2018, @07:45AM

    by Anonymous Coward on Friday May 18 2018, @07:45AM (#681062)

    You are missing the point - how much did Equifax contribute to the Open Source world?

    And how much did they take from it by their utterly evil business practices damaging OSS developers?

    Equifax are spawn of the devil, and richly deserve a stake through the heart. The fact that this did not happen is evidence that governments involves are completely corrupt. There is a complete failure of the system of government in almost all known countries. This is a much bigger problem than a few bugs in some old software.

    Forget OSS - concentrate on you local "elected" "representative" - "debug" him/her (possibly with sharks and lasers?).

  • (Score: 1, Informative) by Anonymous Coward on Friday May 18 2018, @07:55AM (2 children)

    by Anonymous Coward on Friday May 18 2018, @07:55AM (#681066)

    Yeah. We've mention that source of FUD before.
    S/N latecomer requerdanos (5997) must have missed it.

    2014 [soylentnews.org]
    Black Duck Software, Inc. [techrights.org] is an anti-FOSS operation.
    Any time you see that (one-man) operation "advocating" for FOSS, you have to ask "What is the ulterior motive?"
    Mostly, that M$ proxy** [google.com] is just involved in Openwashing. [google.com]

    2017 [soylentnews.org]
    Black Duck is Microsofties[1] whose business model is to convince you that FOSS is insecure and that, if you're going to run it, you need their whiz-bang closed-source software.

    ...in contrast to the M$ infection of the month^W week^W day and the backdoors in M$ stuff that Redmond has handed over to the NSA.
    (as an occult part of the settlement of the USA vs M$ court case??)

    Roy Schestowitz and his crew at TechRights is constantly busting Black Duck for one scam or another.
    ...as well as the "journalists" who reprint Black Duck's M$-friendly/FOSS-hostile claims without vetting those.

    [1] Almost said former Microsofties, but there's no such thing.

    ** It's been a while since I last saw Roy bust Black Duck.
    I hadn't gotten to Roy's quasi-daily news digest today, but, sure enough, he's all over this. [googleusercontent.com] (orig) [techrights.org]
    It's in the page title and 3 items under the subheading Pseudo-Open Source (Openwashing), in turn under the heading Free Software/Open Source.

    -- OriginalOwner_ [soylentnews.org]

    • (Score: 2) by aristarchus on Friday May 18 2018, @08:15AM (1 child)

      by aristarchus (2645) on Friday May 18 2018, @08:15AM (#681074) Journal

      Well done, gw_eg! Now is there any chance that we could have our eds trained in the fine art of detecting Micro$oft shill submissions, and not accepting them? They seem to be quite adept at rejecting aristarchus submissions, so a mere substitution of the triggering stimulus should be sufficient. Unless they are actually getting paid?

      • (Score: 0) by Anonymous Coward on Friday May 18 2018, @09:03AM

        by Anonymous Coward on Friday May 18 2018, @09:03AM (#681087)

        Hmmm. You have be digging through my archives.

        Dr. Roy (years before he got his PhD in Computer Science) had a page he called the The Free Software Credibility Index on his site which was then called BoycottNovell.
        My bookmark was so ancient that when I created it, hyphens still worked with wildcards 100 percent in Google cache URLs.

        Re-did those 2 things but I'm not getting the URL of the cached page to resolve for me.
        Maybe it's just a crap server near me that hasn't updated and you'll have better luck.[1]
        cache [googleusercontent.com] (orig) [techrights.org]

        Again: Only an example of what is needed; horribly out of date.
        (I see dead people['s names].)

        [1] Used to be able to put 1 of Google's several numerical domains in the URL to bypass that sort of crap. No mas.

        -- OriginalOwner_ [soylentnews.org]

  • (Score: 0) by Anonymous Coward on Friday May 18 2018, @08:16AM

    by Anonymous Coward on Friday May 18 2018, @08:16AM (#681075)

    I even have a boilerplate bookmark I'll share with folks to avoid the smeghead stenographers (definitely NOT journalists) at zdnet who reprint this crap.

    The S/N comments engine is STILL broken WRT UTF8-ized quote marks in hyperlinks, so you'll have to copy&paste.
    google.com/search?q=site:zdnet.com/article/enterprise-codebases-plagued+"By.*.*.for.*.May"
    (Charlie Osborne in this case.)

    -- OriginalOwner_ [soylentnews.org]