Is Open Source Less Secure? Why Don't SMBs Have More Choices?
HP Security Evangelist Rafal Los discusses open source
By Alan Shimel on Mon, 11/29/10 - 1:49pm.Before the Thanksgiving holiday I wrote a post about the security of open source apps in the health care field. It was itself in response to a post written by Rafal Los, a security researcher and evangelist with HP. After going back and forth on twitter and Raf responding to my post with another post, we decided to sit down and discuss this all like civilized gentlemen. Below is our converstation.
As is usually the case, Raf and I found that we agreed on a lot more than we disagreed with. Raf does not think that open source is any less secure than non-open source software. He thinks that the fact that there are commercial entities behind non-open source (of course there are commercial entities behind much open source software now too) software gives at least "a throat to choke".
The bigger issue to Raf though is that many SMBs don't know better or worse don't care. The commercial apps in the health care world are just out of reach for many SMBs (I don't think that is just a health care thing either). So they go for the lower cost option (often it is not the lower total cost option, just initial cost) which many times is an open source solution. They just don't care enough about whether the solution is secure or not.
Unfortunately this is an old lament in the security world. I have been dealing with it for years. No one ever says security is not important to them. It is always given as a high priority. But their arms never reach their pockets it seems.
What will it take for SMBs to take security seriously enough that they will question whether their open source tools are secure? Raf and I have some ideas, but you will have to listen to this 20 minute interview to find out more on that.
Why don't SMB have more choices? It is not because security is too hard. I don't think security has anything to with SMB choice. Many enterprise class software packages are just not practical for the SMB world. It sounds to me like a great opportunity and open source would fit the bill.
- About Open Source Fact and Fiction
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.
Most Discussed Posts
- Blog Roll
-
Network World, Inc
The Connected Enterprise