IT Jobs
Tories ignoring open-source security risk
Opposition party has got it all wrong, says Fortify.
By John Dunn | Techworld
Published: 13:01 GMT, 05 February 09
The British Conservative Party was wrong to slate the UK Government for its approach to open source, and US outfit Fortify Software has come up with research to prove it. The bottom line: open source is just too risky anyway.
According to Fortify, comments made by Tory shadow Chancellor George Osborne on the Government's alleged failure to embrace open source, ignore the hidden problems underlying its model of software creation.
"Our own research, however, has concluded that open source software exposes users to significant and unnecessary business risk, as the security is often overlooked, making users more vulnerable to security breaches," said Fortify vice president, Richard Kirk.
"That's not to say that commercial software isn't without risks, but any flaws on commercial applications tend to get patched a lot faster than on open source, as the vendors producing the software have a lot more to lose than an open source programmer," he claimed.
The company points to its own research, released last July, to back up its contention that open source development can be of patchy quality in terms of security, lacking in commercial-grade software change control. The end result can be an increased risk of security holes, and tardiness in dealing with them when they are discovered.
"It's therefore highly questionable whether the Conservative Party has thought this issue through before criticising the current Government for failing to support open source," opines Kirk, contentiously.
"The Government shouldn't just consider OS because it significantly reduces costs, especially after their recent history of data breaches, they have to be able to guarantee that it is robust from a security stand-point too," he concludes.
Kirk's comments contrast with the scathing analysis of government policy failure alleged by Osborne in his party's most recent release on the topic from this week. This followed a Conservative-sponsored report by Mark Thompson of Cambridge University, which spotted numerous flaws in IT policy.
"Government needs to stop thinking that when it comes to procuring IT systems, big is always beautiful," writes Osborne. "We need to move in the direction of what are known as 'open standards' - in effect, creating a common language for government IT. This technical change is crucial because it allows different types of software and systems to work side by side in government."
"The UK government is falling far behind. Too much taxpayers' money is being wasted as a result of flawed procurement, risk-adverse bureaucracy and a lack of incentives for cutting costs," he was reported as saying in a separate statement.
This is only the latest installment in the Conservatives' long-running feud with the Government over open source. Two years ago, Osborne put much the same charge in a speech that lambasted the Government over financial failure of some high-profile IT projects. Embracing open source would require a cultural change to take place at the heart of government, he said.
Add your commentComments
Matt | Published: 21:01 GMT, 17 February 2009
Where's the security from the company that produces most proprietary software? If I use iTunes, I am unable to adequately secure myself from intrusion by Apple. This is true of all proprietary software.
Ryan Berg | Published: 17:33 GMT, 09 February 2009
Security of software is not somehow magically related to whether it was close-source, open-source, or out-source. It is directly related to the process put in place to design, develop, deploy, and maintain. Making sure that security is considered throughout. Open source projects are certainly no better or worse (in general) to any other kind of application in this. If the process breaks down anywhere along that axis it doesn’t matter who developed the code there, will be risks involved. There are advantages and disadvantages to all kinds of applications but that really depends on the maturity of the application, development company etc. Making a generalized statement about lack of security in open source code is faulty and places blame in the wrong direction.
Ross Gardler | Published: 23:25 GMT, 07 February 2009
Fortify are a company with a vested interest in selling "fortified" products. Rather than quoting "evidence" from organisations with a bias it would be better to look at examples in the real world: e.g. National Security Agency takes the open source route - http://www.wired.com/techbiz/media/news/2001/04/42972 There are loads more examples from across the world, just take a look.
Compare and contrast | Published: 09:56 GMT, 07 February 2009
Parts of the civil service still uses NT4 - unpatched since 2004!! They will not pay for upgrades or specialised license for NT4. In contrast, an open OS could be patched by contractors as and when required - the organisation can manage security in any way it sees fit. Compare security and response times between Firefox and IE for a realworld example
Complains | Published: 06:18 GMT, 07 February 2009
I wonder if there is justification for a complaint to one of the various consumer protection organizations for this article? Seems to be a completely self-serving bunch of FUD, written by a Microsoft partner, strictly for the purpose of shoring up support for Microsoft. It's either a press release or one of those paid-for "informercials" that pretends to be an article but is really just advertising. The author of this piece is either a paid shill, an incompetent journalist who doesn't check his facts, or is just really gullible and simply repeats what ONE source tells him. Which is it Mr Dunn?
Jack | Published: 04:31 GMT, 07 February 2009
This company is clearly afraid of open source software. The security industry is a fraud. Security does not come through virus/malware "definitions". People who don't understand that security is patching the bugs that allow the malware in is the problem- and the end-user/software distribution system. Open source solves both problems. Open source software doesn't rely on the developers to write security patches. Security patches only need to be applied to the software- thus no security industry need exist with open source software. Encryption solutions also need to be open sourced in order to ensure security. One again the security industry is afraid of this as open source solutions means real competition.
Sasha | Published: 00:34 GMT, 07 February 2009
They should use Microsoft programs. Microsoft will spy only for US and UK is US satellite, so no harm would be done.
Ross Currie | Published: 19:32 GMT, 06 February 2009
Utter nonsense. Computer security/anti-virus companies are the used-car dealerships of the Internet. You may as well ask a Ford dealer for a comparison of American vs Japanese cars. Open source software is MORE secure than commercial software.
Confused GNU Supporter | Published: 16:22 GMT, 06 February 2009
So... after paying $500 for an operating system that requires you to upgrade your RAM just to boot up to your desktop, you get a virus from visiting a website, and your shiny new machine turns into a zombie on a massive bot network, making money for someone else and annoying millions with spam, everyday. Now THAT'S security I can rely on!
x | Published: 15:59 GMT, 06 February 2009
These times are wonderfull...can you see how much stupid man can be vicepresident of some company? :-D This information is very old FUD from Forrester Group and Fortify Software is partner of MS so this info is total bullshit. This troll even don't know pages like Secunia.If he will know it then he can't say these LIES. And especially for Richard Kirk - BACK TO SCHOOL moron :-D If you want to upgrade your brain...try to look at www.openbsd.org how looks projects which are interested in security ;-) Ah and sorry they aren't commercial......horrible,isn't it? :-D