Closed-source security solutions
by cthoyes (Flickr) – CC BY-NC-ND
The recent report of someone finding backdoors in Barracuda Networks’ firewall and VPN products didn’t surprise me much. What else do you expect from a closed-source solution? I mean really, when are people going to stop trusting black-box solutions? Security is always a trust issue no matter what aspect you are looking at. Why would you trust something with your security without knowing exactly what it does and how it works?
Open source solutions are completely different. You can look inside, see how things work, make changes if you like, and trust the solution works the way you expect it to. You aren’t trusting the company that is selling it to you but rather you are trusting yourself or your own people. Why would you want it any other way?
Leave a Reply
Fedora Planet
- Roland Grunberg: DIY Bodhi 2013-06-18
- Mike McGrath: Summit talk posted 2013-06-18
- Aditya Patawari "adimania": Deploying Big Using BitTorrent [Sharing Files Using BitTorrent] 2013-06-18
- Marcelo Barbosa: XChat a ferramenta de comunicação dos projetos open source 2013-06-18
- Fedora-Blog.de: Des Kaisers neue Kleider – oder: neues Theme für Fedora-Blog.de gesucht 2013-06-18
- Renato Monteiro: Pequena alteração no banner 2013-06-18
- Shakthi Kannan: Fedora Workshop, SJCE, Chennai 2013-06-18
- Sayan Chowdhury: Darkserver Improvement : Google Summer of Code 2013 2013-06-18
- Daniel Pocock: RSA Key Sizes: 2048 or 4096 bits? 2013-06-18
- Dave Jones: Daily log June 17th 2013 2013-06-18
Red Hat Security Blog
- CWE Compatibility for Red Hat Customer Portal 2013-06-05
- Outside-in Vulnerability Assessment for Secure Software Development 2013-05-22
- Battling open resolvers 2013-05-08
- Anatomy of a Red Hat Security Advisory 2013-04-24
- Detecting security flaws with FindBugs 2013-04-10
- Is chroot a security feature? 2013-03-27
- The Security Benefits of RPM Packaging 2013-03-13
- Enterprise Linux 6.3 to 6.4 risk report 2013-02-27
- Red Hat Secure Development Videos 2013-02-20
- How Red Hat uses CVSSv2 Scoring to assist in rating flaws 2013-02-13
Sparks' Linux Journal by Eric "Sparks" Christensen is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Permissions beyond the scope of this license may be available at https://sparkslinux.wordpress.com/license/.
While I suppose the question is purely rhetorical, let’s answer to it nonetheless. Usually, it boils down to not having the resources inside to do otherwise. Or because you prefer to shift the responsibility to a vendor.
Oh you can shift all the responsibility to a third-party all you want but your customers are still going to come looking for *you* when bad things happen. The patient isn’t going to come looking for Cisco or any other vendor when their medical records got released on the Internet. They are going to come looking to the hospital or doctor’s office where the data was being stored. Worse yet, once that data is out in the open there is no way to remove it.
If you don’t have the resources inside to do the work then you can either a) find and hire the needed resource or b) trust that open source solutions already have more eyes on them (especially if they are supported through a major company).
Ultimately, the responsibility for security does not lay in the hands of vendors but right at the doorstep of data owners.
I agree, but i am not the one to convince. And the issue is that, if you ask to the vendors, they will say they are certified. They will explain that others do use their solutions, that they use rigorous testings. I guess I do not need to explain how does the business of security work…