In “Buy vs. build to reduce insider threats“, Rob Morrow (Public Sector CTO at Cloudera) makes an argument about the vulnerability of open source code.
But not just any open source code.
Mr. Morrow suggests that when agencies build in house solutions using “free” open source code, the chances of unintentional human error & insider threats increase. In his words, when developers “take the free code available to anyone and build their solution on top of it,” the probability of bad code finding its way into the stack is much higher.
His argument is not against the use of open source code. Quite the contrary; Cloudera has built a business around integrating Apache Hadoop’s open source ecosystem for its clients. What he is saying is that empowering development teams to select open source code at their convenience is a vulnerability. Best for those teams to rely on “commercially supported” open source technologies, those that have been tested and verified by an organization such as Cloudera that makes secure code an imperative.
I buy the argument. But I’d guess the issue isn’t as simple. I’d guess there are public sector development teams that have as disciplined a code review process as any commercial firm. But then again, I’d guess there are a number that don’t. By the same logic, I’d bet some commercial code disciplines can leak a little oil too.
I imagine this is a polarizing issue, and I’m interested to hear the points on both sides!
Article originally published inFederal Computer Week, May 22, 2017
Further reading on open source: