Open Source Security: Still a Myth
Subject:   Awareness is step one.
Date:   2004-09-18 09:55:25
From:   Trusty
I think the author makes good points that apply to both open and closed source camps. I do not detect any intentional FUD making going on.

Awareness and education of security issues are a necessary first step. Let's be honest and admit that it is a good thing that Microsoft has upped their efforts in this area, even though many would say too little, too late.

The next step is actually writing secure code, and there will be some developers who will excel at this and others who will be less than stellar, no matter how much effort they put in. There is no doubt that the final result will be less if you do not have the goal of strong security at the outset.

While this might be a simplification, these discussions seem to get muddled by those folks who have their tail feathers ruffled whenever the topic overlaps into FOSS vs. proprietary issues. The process might be different but the end results should be the same.

The company I am with will soon be selling a product that converts a Linux system into a trusted operating system, with mandatory access controls and fine grain auditing of all system users. It does not trust the users or the applications. It provides core security and the auditing capability that the author calls for. The base module is open source, but we sell commercial tools that save time and money for the enterprise.

I fear that rather than looking at whether the product really works, energy will be wasted debating the commercial aspects of our products. That is the shame of these arguments.