So I was going to post something about the closing keynote today, but when I realized it was a panel that included Alec Baldwin, I couldn’t bring myself to do it, especially when I saw this from the CTO of Sonatype.
Now don’t get me wrong, he is certainly pointing out a problem that exists today, where products are built with insecure components, versions that should no longer be used because of flaws that have been patched. But he rails too much against open source, saying the because of this it is “cyber-asbestos” that seems good but will cost a fortune to clean up.
Of course the business of Sonatype is to, in some manner, reduce your risk when you use open source products in your final product, but the way the presentation plays, it seems more like he is saying you should just go with Microsoft and Adobe because we all know they never have security problems. Oh, wait…
The problem lies I think more with open source projects not removing versions that should no longer be in use from their repositories. I’m not saying that you should only be able to download the current version of any product, but there should be something more difficult about downloading older versions, especially ones which are known to have problems. This wouldn’t eliminate the problem, but the project leads need to take responsibility for the ability to download such code (at least from their own repositories).
Now Green Rocket Security bases our products off an open source model where we combine various products, add some “secret sauce” and put it all together in a simple package for you. As security experts we investigate bug and vulnerability reports to determine if they impact our solution. And as you can see here, we post this information for major issues and note the need for updates accordingly. If you based your product on Microsoft tools (such as Windows and SQL Server), you need to do the same thing, reviewing vulnerability reports and Microsoft patches just as we do with open source, but at least with open source, we can track all the issues openly, and if needed, even submit a patch ourselves to move forward with ensuring the security of our solutions.
So I guess what I’m really getting at is that there are problems with all software. He makes a good point that known issues should not be repeated in a product by relying on out-of-date components, but we are all human, and make mistakes. I applaud their efforts to minimize or eliminate this type of issue, but you can’t just take that and blast open source as the scourge of computing today, because if it really was, not only would we be more limited in what we could do today, they wouldn’t even have a business.
So in closing, good bye to RSA for this year, and we’ll see all of you next year.