<div dir="ltr"><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">John Newton</b> <span dir="ltr"><<a href="mailto:notifications@github.com">notifications@github.com</a>></span><br>Date: Mon, Apr 18, 2016 at 4:35 AM<br>Subject: Re: [WhiteHouse/source-code-policy] Email Comment: Department of Homeland Security Office of the Chief Information Officer and Components (#152)<br>To: WhiteHouse/source-code-policy <<a href="mailto:source-code-policy@noreply.github.com">source-code-policy@noreply.github.com</a>><br>Cc: misdemeaner <<a href="mailto:turnerbrentm@gmail.com">turnerbrentm@gmail.com</a>><br><br><br><p>The comment "Many private companies (especially security companies) do not publish their source code is because it allows attackers to...[et al]" fails to address the primary reason that private companies do not publish their software. They do not release their software because they are trying to make money on it and are trying to prevent other people using it unless they are paid. This is the issue that this policy is trying to address and to deny that will end up costing the Federal Government millions or billions for that very reason. I was the founder of Documentum (closed source) and Alfresco (open source) and are therefore familiar with both models. Security of the software very, very rarely has anything to do with keep code closed.</p>
<p>What this argument fails to take into account, but many military and intelligence agencies have, is that open source is inherently <em>more</em> secure. Transparency of source code means that many more eyes have looked at the code and often corrections are provided by people who discover vulnerabilities. When we have done penetration testing, the pen testers are able to find any potential faults and they are corrected. When code is a black box, it is a race by brute force means to discover the holes. Even then, corrections may take awhile as it goes back to the original team to fix. With open source you have other options.</p>
<p>Having open source also allows for more secure alternatives. Many of the security and intelligence agencies have deeper requirements than the commercial world. With closed source companies, they are at the mercy of the vendor to prioritize those changes that may be useful for a small number of companies. We have already seen that with open source these agencies will create their own alternatives. Using tools like Github, they can keep track of the evolution of the open source platform and maintain their own more secure extensions.</p>
<p>Finally, many closed source products already use 20% open source code at least. Anything written in anything other than .NET probably has significant amounts of open source code. That does not make them insecure. If I were the DHS, I would be more concerned about the large vendors writing significant amounts of code in China, which is later released to the world without the review of the wider open source community.</p>
<p>The comment about the Mafia having access to FBI code is ironic, because the FBI uses open source. Not everything, but some things. That means the Mafia does have access and it does not make one bit of difference. Open code does not mean unsecure code. Transparency and constant review makes secure code.</p>
<p style="font-size:small;color:#666">—<br>You are receiving this because you commented.<br>Reply to this email directly or <a href="https://github.com/WhiteHouse/source-code-policy/issues/152#issuecomment-211340966" target="_blank">view it on GitHub</a><img alt="" height="1" src="https://github.com/notifications/beacon/ARo1iORj3ozBpv1jIiKdmmzzUt1GXwXNks5p42x9gaJpZM4IEtuW.gif" width="1"></p>
<div>
<div>
</div>
</div>
</div><br></div>