[CAVO] Fwd: [WhiteHouse/source-code-policy] Email Comment: Department of Homeland Security Office of the Chief Information Officer and Components (#152)

[Brent Turner]

---------- Forwarded message ----------
From: John Newton <notifications at github.com>
Date: Mon, Apr 18, 2016 at 4:35 AM
Subject: Re: [WhiteHouse/source-code-policy] Email Comment: Department of
Homeland Security Office of the Chief Information Officer and Components
(#152)
To: WhiteHouse/source-code-policy <source-code-policy at noreply.github.com>
Cc: misdemeaner <turnerbrentm at gmail.com>


The comment "Many private companies (especially security companies) do not
publish their source code is because it allows attackers to...[et al]"
fails to address the primary reason that private companies do not publish
their software. They do not release their software because they are trying
to make money on it and are trying to prevent other people using it unless
they are paid. This is the issue that this policy is trying to address and
to deny that will end up costing the Federal Government millions or
billions for that very reason. I was the founder of Documentum (closed
source) and Alfresco (open source) and are therefore familiar with both
models. Security of the software very, very rarely has anything to do with
keep code closed.

What this argument fails to take into account, but many military and
intelligence agencies have, is that open source is inherently *more*
secure. Transparency of source code means that many more eyes have looked
at the code and often corrections are provided by people who discover
vulnerabilities. When we have done penetration testing, the pen testers are
able to find any potential faults and they are corrected. When code is a
black box, it is a race by brute force means to discover the holes. Even
then, corrections may take awhile as it goes back to the original team to
fix. With open source you have other options.

Having open source also allows for more secure alternatives. Many of the
security and intelligence agencies have deeper requirements than the
commercial world. With closed source companies, they are at the mercy of
the vendor to prioritize those changes that may be useful for a small
number of companies. We have already seen that with open source these
agencies will create their own alternatives. Using tools like Github, they
can keep track of the evolution of the open source platform and maintain
their own more secure extensions.

Finally, many closed source products already use 20% open source code at
least. Anything written in anything other than .NET probably has
significant amounts of open source code. That does not make them insecure.
If I were the DHS, I would be more concerned about the large vendors
writing significant amounts of code in China, which is later released to
the world without the review of the wider open source community.

The comment about the Mafia having access to FBI code is ironic, because
the FBI uses open source. Not everything, but some things. That means the
Mafia does have access and it does not make one bit of difference. Open
code does not mean unsecure code. Transparency and constant review makes
secure code.

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
<https://github.com/WhiteHouse/source-code-policy/issues/152#issuecomment-211340966>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/cavo_lists.opensource.org/attachments/20160418/f1da2136/attachment.html>