SoylentNews is people
SoylentNews
There's a minor media dust-up over which is worse, Open-source vulnerabilities, or Poor Enterprise IT Security?
On Tuesday, 15 May, ZDNet quoted from a Black Duck study and opined that the problem was the "Open-source vulnerabilities", posting an article entitled Open-source vulnerabilities plague enterprise codebase systems.
Vulnerabilities including the bug reportedly responsible for Equifax's data breach are still common elements of open-source systems used in the enterprise... the nature of open-source projects means that as developers are giving away their time for free, sometimes, bugs may escape the net and cause chaos...
Wednesday, May 16th, TechRepublic answered with Enterprise IT shouldn't blame open source for their own poor security practices:
Even if we set aside the fact that Black Duck sells tools and services to root open source out of your enterprise... Open source vulnerabilities will often get disclosed earlier than those in managed software [and] its up to IT to apply the patches.
In other words, open source developers are doing their best to write good software, publish notices when bugs are found, and then fix those bugs. What the open source world cannot do, however, is fix inept IT practices. Despite the headlines, it's not the open source world's problem that so many want to use the software but can't be bothered to apply updates.
Is the problem more one, or the other, or both? Or is it the insistence on calling free software "Open Source," referring to just one freedom of many?
(Score: 0) by Anonymous Coward on Thursday May 17 2018, @10:22PM (1 child)
What's worse? Poor enterprise security. Why? Because any shop with poor security does not necessarily run any open source software (with or without vulnerabilities).
Now, trying to equate the two is simply ridiculous. Anyone trying to undermine the open source community can try to taint it with a comparison to something as notoriously insufficient as enterprise security ... but just because they ask this type of question doesn't mean the two are in the same ballpark, or area code, or even time zone.
(Score: 5, Insightful) by tftp on Friday May 18 2018, @12:32AM
Shops with poor security are more likely to run closed source software because they use sysadmins who are among the least enlightened ones. Those sysadmins, often doing part-time IT, look for easy solutions. They put the dvd in, answer a few very simple questions, verify that they paid the money - and then they are free to go. Anything happens, like an update to sharepoint that kills sharepoint - your problem, as that update has to be installed under the beat of a different tambourine. The Autoconfiguration of Exchange dies - your problem, as there are 277 different solutions that worked for different people (including complete reinstall.) The security log? Always full of garbage about something (sharepoint search service fails to start - what now?) The best practices analyzer? Often unhappy. For that reason inattentive sysadmins easily install the system and equally easily forget it while it works. Patches can break it, as they did so for me, and I paid dearly with my time trying to keep this pile of rotten bits running.
Shops that use F/OSS employ sysadmins that know a bit more and can look deeper. Usually they are not one of the engineers who happens to know how to boot from a DVD, but someone trained and assigned to do the IT. They have time and knowledge to track bugs and deploy needed patches onto all relevant computers. Unsurprisingly, they achieve better results than amateurs. The complexity of configuring open source s/w (see Bacula, for example) filters away those who seek solutions that are easy, shiny, and just a bit wrong.