Don't Put That In Your Mouth, You Don't Know Where It's BeenDon't Put That In Your Mouth, You Don't Know Where It's Been

One of the major objections to open source is that nobody's responsible for the code. Enterprise users need to be sure that the software they're deploying is secure. The way they do that for proprietary code is to bind the authors with contracts, requiring the authors to guarantee that the code has been reviewed for security. But you can't do that with open source because anyone can contribute to open source, and, ultimately, there's no single party that can be held responsible for the software's security. You don't know where it's been.That issue came up at a Birds of a Feather Session (BOFS) at the information Spring Conference. The BOFS was one of several informal discussion groups of IT managers with like-minded concerns, facilitated by information editors. At the Open Source BOFS, Stephen B. Rycroft, a director at a multibillion-dollar financial services company, raised concerns about accountability and security.

"What I'm concerned about is, if I bring the code in, will it start writing out my database to a server somewhere?" said Rycroft, who asked that his corporate affiliation be withheld.

His company's own developers are thoroughly investigated and required to undergo security training prior to writing company code. Likewise, vendors of proprietary software are required to sign contracts swearing that they've been through the same thing.

He mentioned terrorists in particular as a concern--what if his company adopted an open-source package, and a terrorist slipped a Trojan horse into it?

Now I think the concern about terrorists is far-fetched. Terrorists are more concerned with blowing things up and releasing poison gas than writing open-source software. But worry about thieves is not far-fetched; indeed, phishing scams and other forms of identity theft demonstrate every week that professional computer criminals are targeting financial institutions and their customers.

Moreover, it's easy for me to say fears over terrorism are far-fetched; I'm not responsible for billions of dollars of other people's money. As a matter of fact, the company Rycroft works for is a company I do business with. So I'm pleased to find that this company is devoting resources to figuring out how malefactors might break into its systems, and how to stop those malefactors.

If I found out that the company had a team of people researching the threat posed by mind-control aliens from Neptune, I would likely react by asking if they'd ever considered the threat of bloodsucking mind-control aliens from Neptune. Because it's better to think these things through than to get a nasty surprise.

Several attendees at the BOFS attempted to counter Rycroft's concerns.

Martin Doettling, VP of worldwide marketing for CollabNet, pointed out that the U.S. Department of Defense uses open-source software, apparently having satisfied itself over security concerns. He also noted that there are several companies that evaluate, certify, and support open-source packages. CollabNet, a vendor of collaboration software, uses open-source software in its products.

Rycroft said he's not so much concerned about major packages like Linux, but rather smaller projects like the Tapestry and Rails development tools.

James McGovern, chief security architect for the Property and Casualty Division at The Hartford, said those applications are so small that they can easily be reviewed by in-house developers to assure their security.

What do you think? Are open-source users risking allowing Trojan horses into their enterprise?