Topics: Open Source

Many Eyes, But How Many Brains?

Posted by Serdar Yegulalp, Jul 16, 2008 11:02 AM

I've written before about how the "many eyes" philosophy of open source security is only a starting point. Now a post at InfoWorld's Open Sources blog asks a parallel question, in the wake of two security holes being unveiled in the Spring Framework. If anything, this reinforces my opinion from before: Open is not automatically a synonym for safe.

The main question the authors derive from all this: "Are merit-based OSS projects more secure than single-vendor-driven OSS projects?" To put it another way:

If developers outside the company can't contribute code, what is the likelihood that a developer will look at a piece of code within the project and ask, "How can I make this better?" -- and in the process uncover a potential security issue?

My feeling is that the structure of the project -- merit-based vs. vendor-supported -- isn't as important as whether or not there is someone on the project team whose full-time job (as far as the project goes) is to perform security auditing. It might be better if that position was reinforced with compensation -- i.e., someone was getting paid to do that kind of gruntwork -- but if someone who genuinely cares about the project is doing it, that's also fine. What matters is that someone on the team is doing it, that it is their explicitly appointed duty to do so, and that they are suited for the job.

Now: Is it easier to guarantee those things with a vendor-driven project? That depends on who's running things in the first place. Having positive cash flow is no guarantee of competence, although it is one of the better signs that the folks in charge have some idea of what they're doing.

It all comes back to something I keep running into with open source: It's almost never about the code, but the people involved. If they run a tight ship, it doesn't matter where the money comes from or even if there's much money at all. If they don't, then all the openness in the world won't save them. Or anyone else.

« Google: Some Android Developers Are More Equal Than Other Android Developers | Main | The Rise Of Enterprise-Class Cloud Computing »

This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.

Blog Categories
Healthcare Cloud Computing Enterprise 2.0 Digital Life Grok On Google Over The Air Outsourcing Global CIO Startup City Information Management Content Management Green Computing Full Nelson Unified Communications	Government IT Analytics Tech Stocks Interop Security Microsoft Apple Unvarnished Open Source Wolfe's Den David Berlind's Tech Radar Virtualization Storage Backup and Business Continuity Blog Homepage

Multicore Programming Blog

Join The InformationWeek Group On LinkedIn

InformationWeek

Business Innovation Powered By Technology

Many Eyes, But How Many Brains?