[SCADASEC] Fw: RE: Why open source software is more secure

Bob Radvanovsky rsradvan at unixworks.net
Thu May 8 11:40:38 CDT 2008 

I know that I am re-hashing the issue of 'open source development' again, but wanted to identify that this is a cross-posting from another sector, specifically healthcare (which is THE most critical because lives are at stake), as these folks have investigated utilizing 'open source' as a possible solution for their enterprise.

I am *not* saying that 'open source' is good and that we should jump in, but rather that SCADA and control systems aren't the only ones dealing with the should we or should we not use it scenarios involving 'open source'.

Food for thought...

-rad

----- Original Message -----
From: "Hayes, Ian" [mailto:ihayes at nvcancer.org]
To: security-basics at securityfocus.com
Subject: **SPAM** RE: Why open source software is more secure


> > -----Original Message-----
> > From: listbounce at securityfocus.com
> [mailto:listbounce at securityfocus.com]
> > On Behalf Of David Harley
> > Sent: Thursday, May 08, 2008 8:36 AM
> > To: security-basics at securityfocus.com
> > Subject: RE: Why open source software is more secure
> > 
> > > The main goal of a software vendor is not to bring you a
> > > _good_ product, but to sell it you. That is the only truth
> > > about that.
> > 
> > And I thought I was cynical... I'm not saying that there aren't poor
> > products, but there are companies who see making a quality product as
> a
> > sales asset, and making a living out of selling a product doesn't mean
> you
> > can't believe in and be passionate about improving that product.
> 
> Companies that make bad products usually get weeded out in our market
> system. I say usually. Someone's going to take umbrage and argue the
> point that some companies put out bad products and still survive
> somehow. I'm aware of this.
>  
> > > That's why the product might be fully featured,
> > > nicely decorated and published on time: the vendor is
> > > economically motivated to make it this way. But there's no
> > > sense to make it secure and stable because the only motive
> > > for this is liability which does not exist software industry.
> > 
> > This is exactly the wrong way round. Selling a product usually
> establishes
> > a contractual liability. Open source software is unsuitable in many 
> > contexts precisely because of the difficulty of establishing liability
> in
> > the event of a problem.
> > 
> > I'm not saying that good (excellent, even) open source software
> doesn't
> > exist: I use some myself. But there is also stuff around that couldn't
> > survive commercially because of its limitations and/or lack of
> support.
> 
> Exactly. When we were looking for a Electronic Medical Records system
> (EMR), the idea of open source didn't even come across the table. The
> Veteran's Administration has a lovely open-source EMR called VistA, but
> if something breaks, we need to be able to pick up a phone, call someone
> and get it fixed. Our Board and upper-level execs aren't comfortable
> with the idea that something so critical doesn't have some kind of 24/7
> professional support. There is certainly an amount of apprehension in
> upper management in a lot of organizations about something you get for
> free.
> 
> That's not to say that I don't use open source software here, but I'm
> not going to use it for something so critical without some kind of
> support system.
> 
> I've evaluated other open source projects that offer some kind of
> professional support and services contract. Some of them just don't make
> the cut versus commercial software. Even if commercial software costs
> twice or three times the cost of buying a support for a FOSS product, I
> can't recommend going open source if the software is no good or doesn't
> compare favorably. Some FOSS products don't scale well in enterprise
> environments. I'm not saying they never will, just not right now.
> 
> --
> Ian Hayes
> Systems Engineer
> Nevada Cancer Institute
> Office:(702) 822-5156
> email: ihayes at nvcancer.org
> http://www.nevadacancerinstitute.org
> 
> 
> --------------------------------------------------------------------------
> CONFIDENTIALITY NOTICE: This e-mail message, including any
> attachments, is for the sole use of the intended 
> recipient(s) and may contain confidential, proprietary, 
> and/or privileged information protected by law. If you are 
> not the intended recipient, you may not use, copy, or 
> distribute this e-mail message or its attachments. If you 
> believe you have received this e-mail message in error, 
> please contact the sender by reply e-mail and destroy all 
> copies of the original message
> 
>

More information about the scadasec mailing list