SoylentNews is people
SoylentNews
There's a minor media dust-up over which is worse, Open-source vulnerabilities, or Poor Enterprise IT Security?
On Tuesday, 15 May, ZDNet quoted from a Black Duck study and opined that the problem was the "Open-source vulnerabilities", posting an article entitled Open-source vulnerabilities plague enterprise codebase systems.
Vulnerabilities including the bug reportedly responsible for Equifax's data breach are still common elements of open-source systems used in the enterprise... the nature of open-source projects means that as developers are giving away their time for free, sometimes, bugs may escape the net and cause chaos...
Wednesday, May 16th, TechRepublic answered with Enterprise IT shouldn't blame open source for their own poor security practices:
Even if we set aside the fact that Black Duck sells tools and services to root open source out of your enterprise... Open source vulnerabilities will often get disclosed earlier than those in managed software [and] its up to IT to apply the patches.
In other words, open source developers are doing their best to write good software, publish notices when bugs are found, and then fix those bugs. What the open source world cannot do, however, is fix inept IT practices. Despite the headlines, it's not the open source world's problem that so many want to use the software but can't be bothered to apply updates.
Is the problem more one, or the other, or both? Or is it the insistence on calling free software "Open Source," referring to just one freedom of many?
(Score: 3, Insightful) by stretch611 on Thursday May 17 2018, @10:36PM (2 children)
The real issue is poor IT security... hands down.
Open Source software does have its vulnerabilities and zero day attacks. You are blind if you believe otherwise. Of course, they get patched and fixes are created. Even if the original developer is no longer around, being open source means that someone else can come around and fix the problem.
Then again you are just as blind if you think that closed sourced software is free from the same vulnerabilities. However, unlike open source, only the owners of the source code can do anything about it.
But the real problem is poor IT. After all, it doesn't matter if the faulty software gets patched or not, if your IT department is too inept to check for regular updates or too inept to actually apply the updates.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 3, Insightful) by Immerman on Thursday May 17 2018, @11:47PM
Or too inept to implement decades-old "best practice" procedures, so that they leave open gaping security holes which could easily be closed just by changing a setting somewhere.
And that's before we even get into the "in house" software, which is notoriously vulnerable even in security companies that should REALLY know better.
(Score: 0) by Anonymous Coward on Friday May 18 2018, @02:58AM
Or too hamstrung by their "customers" that necessary updates and fixes cannot be done until next Thanksgiving Day and after 10 change control meetings have been called.