"What I'm concerned about is, if I bring the code in, will it start writing out my database to a server somewhere?" said Rycroft, who asked that his corporate affiliation be withheld.
His company's own developers are thoroughly investigated and required to undergo security training prior to writing company code. Likewise, vendors of proprietary software are required to sign contracts swearing that they've been through the same thing.
He mentioned terrorists in particular as a concern--what if his company adopted an open-source package, and a terrorist slipped a Trojan horse into it?
Now I think the concern about terrorists is far-fetched. Terrorists are more concerned with blowing things up and releasing poison gas than writing open-source software. But worry about thieves is not far-fetched; indeed, phishing scams and other forms of identity theft demonstrate every week that professional computer criminals are targeting financial institutions and their customers.
Moreover, it's easy for me to say fears over terrorism are far-fetched; I'm not responsible for billions of dollars of other people's money. As a matter of fact, the company Rycroft works for is a company I do business with. So I'm pleased to find that this company is devoting resources to figuring out how malefactors might break into its systems, and how to stop those malefactors.
If I found out that the company had a team of people researching the threat posed by mind-control aliens from Neptune, I would likely react by asking if they'd ever considered the threat of bloodsucking mind-control aliens from Neptune. Because it's better to think these things through than to get a nasty surprise.
Several attendees at the BOFS attempted to counter Rycroft's concerns.
Martin Doettling, VP of worldwide marketing for CollabNet, pointed out that the U.S. Department of Defense uses open-source software, apparently having satisfied itself over security concerns. He also noted that there are several companies that evaluate, certify, and support open-source packages. CollabNet, a vendor of collaboration software, uses open-source software in its products.
James McGovern, chief security architect for the Property and Casualty Division at The Hartford, said those applications are so small that they can easily be reviewed by in-house developers to assure their security.
What do you think? Are open-source users risking allowing Trojan horses into their enterprise?