Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Tories ignoring open-source security risk

Opposition party has got it all wrong, says Fortify.

Article comments

The British Conservative Party was wrong to slate the UK Government for its approach to open source, and US outfit Fortify Software has come up with research to prove it. The bottom line: open source is just too risky anyway.

According to Fortify, comments made by Tory shadow Chancellor George Osborne on the Government's alleged failure to embrace open source, ignore the hidden problems underlying its model of software creation.

"Our own research, however, has concluded that open source software exposes users to significant and unnecessary business risk, as the security is often overlooked, making users more vulnerable to security breaches," said Fortify vice president, Richard Kirk.

"That's not to say that commercial software isn't without risks, but any flaws on commercial applications tend to get patched a lot faster than on open source, as the vendors producing the software have a lot more to lose than an open source programmer," he claimed.

The company points to its own research, released last July, to back up its contention that open source development can be of patchy quality in terms of security, lacking in commercial-grade software change control. The end result can be an increased risk of security holes, and tardiness in dealing with them when they are discovered.

"It's therefore highly questionable whether the Conservative Party has thought this issue through before criticising the current Government for failing to support open source," opines Kirk, contentiously.

"The Government shouldn't just consider OS because it significantly reduces costs, especially after their recent history of data breaches, they have to be able to guarantee that it is robust from a security stand-point too," he concludes.

Kirk's comments contrast with the scathing analysis of government policy failure alleged by Osborne in his party's most recent release on the topic from this week. This followed a Conservative-sponsored report by Mark Thompson of Cambridge University, which spotted numerous flaws in IT policy.

"Government needs to stop thinking that when it comes to procuring IT systems, big is always beautiful," writes Osborne. "We need to move in the direction of what are known as 'open standards' - in effect, creating a common language for government IT. This technical change is crucial because it allows different types of software and systems to work side by side in government."

"The UK government is falling far behind. Too much taxpayers' money is being wasted as a result of flawed procurement, risk-adverse bureaucracy and a lack of incentives for cutting costs," he was reported as saying in a separate statement.

This is only the latest installment in the Conservatives' long-running feud with the Government over open source. Two years ago, Osborne put much the same charge in a speech that lambasted the Government over financial failure of some high-profile IT projects. Embracing open source would require a cultural change to take place at the heart of government, he said.


More from Techworld

More relevant IT news


Ryan Berg said: Security of software is not somehow magically related to whether it was close-source open-source or out-source It is directly related to the process put in place to design develop deploy and maintain Making sure that security is considered throughout Open source projects are certainly no better or worse in general to any other kind of application in this If the process breaks down anywhere along that axis it doesnt matter who developed the code there will be risks involved There are advantages and disadvantages to all kinds of applications but that really depends on the maturity of the application development company etc Making a generalized statement about lack of security in open source code is faulty and places blame in the wrong direction

Ross Gardler said: Fortify are a company with a vested interest in selling fortified products Rather than quoting evidence from organisations with a bias it would be better to look at examples in the real worldeg National Security Agency takes the open source route - httpwwwwiredcomtechbizmThere are loads more examples from across the world just take a look

Compare and contrast said: Parts of the civil service still uses NT4 - unpatched since 2004 They will not pay for upgrades or specialised license for NT4 In contrast an open OS could be patched by contractors as and when required - the organisation can manage security in any way it sees fitCompare security and response times between Firefox and IE for a realworld example

Complains said: I wonder if there is justification for a complaint to one of the various consumer protection organizations for this article Seems to be a completely self-serving bunch of FUD written by a Microsoft partner strictly for the purpose of shoring up support for Microsoft Its either a press release or one of those paid-for informercials that pretends to be an article but is really just advertising The author of this piece is either a paid shill an incompetent journalist who doesnt check his facts or is just really gullible and simply repeats what ONE source tells him Which is it Mr Dunn

Jack said: This company is clearly afraid of open source software The security industry is a fraud Security does not come through virusmalware definitions People who dont understand that security is patching the bugs that allow the malware in is the problem- and the end-usersoftware distribution systemOpen source solves both problems Open source software doesnt rely on the developers to write security patches Security patches only need to be applied to the software- thus no security industry need exist with open source softwareEncryption solutions also need to be open sourced in order to ensure security One again the security industry is afraid of this as open source solutions means real competition

Sasha said: They should use Microsoft programs Microsoft will spy only for US and UK is US satellite so no harm would be done

Ross Currie said: Utter nonsenseComputer securityanti-virus companies are the used-car dealerships of the InternetYou may as well ask a Ford dealer for a comparison of American vs Japanese carsOpen source software is MORE secure than commercial software

Confused GNU Supporter said: So after paying 500 for an operating system that requires you to upgrade your RAM just to boot up to your desktop you get a virus from visiting a website and your shiny new machine turns into a zombie on a massive bot network making money for someone else and annoying millions with spam everyday Now THATS security I can rely on

x said: These times are wonderfullcan you see how much stupid man can be vicepresident of some company -DThis information is very old FUD from Forrester Group and Fortify Software is partner of MS so this info is total bullshitThis troll even dont know pages like SecuniaIf he will know it then he cant say these LIESAnd especially for Richard Kirk - BACK TO SCHOOL moron -D If you want to upgrade your braintry to look at wwwopenbsdorg how looks projects which are interested in security - Ah and sorry they arent commercialhorribleisnt it -D

Tim said: SniffsniffI smell Microoft moneyStop the FUD

Stiggle said: So they based their report on 11 OS java projects Most commercial companies I know of use Open Source change control software Ignore these people and let them go back under their bridge

dono said: Nothing like a little open source porn in your kids schools to drive this point homehttpwwwtescoukarticlea

Stuart Ward said: This entire article is FUD There is no evidence presented just opinion For some evidence see Section 6 of David Wheelers article httpwwwdwheelercomossfs

clarisa montenegro said: Has any for profit security company ever supported open-source

clarisa montenegro said: Has any for profit security company ever supported open-source

stronk7 said: Sure there isnt any interest in this article nor its biassed Please be more serious when releasing FUD like thisDo you know what take years to be fixed Yeah commercial software from vendors like Microsoft Apple Oracle Microsoft duh did I say Microsoft twice -DAs said just one fud-auto-marketing article Interested parts shouldnt be allowed to perform those disclaimers publicly More if they are falseCiao -

Henry said: Im a head of Information security for a company and for more than 10 yrs working in the field and also I do reaserch in SecrutiyOpensource is far better in security and is also tested and reviwed by many security instititions ie SANS systmes like Linux BSD Open BSD FreeBSD are more secure than MicrosoftThis claimings of insecure systems on Opensource come from people who are only politicians who dont lieve in the real world and they have no idea on technology and are being advice for companies that they profit come only form Microsoft productsthe solution for this compnies is to diversify and accept the fact that open source is more efficient secure and cost efective

Say what? said: Quote flaws on commercial applications tend to get patched a lot faster than on open sourceUm say what Historically open source software has had flaws patched MUCH faster than closed-source software within hours of discovery in some cases Any report that claims the opposite had better have some serious figures to back it up

Pete Hunt said: I could mention that Fortify are a MS partner whove been involved in joint product launches with Microsoft hardly an unbiased commentator I could also mention httpsopensourcefortifycom Judging by the testing methodology dug up by the slashdot crowd Fortify are not the people you want supporting your arguments

No surprise said: I am not surprised by such a stance of a COMMERCIAL software vendor They simply ignore that in commercial software you have to wait for patch theres no other option with FLOSS patch you can pay to get the patch much soonerBesides Internet Explorer and Windows are commercial softwareAnything else

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *