A correction regarding JBoss & where to address security issues... At Red Hat, we have have industry leading processes in place to address security concerns relating to any of our subscription products or community projects, including JBoss. This link covers our related security response processes and policies: http://www.redhat.com/security/team/contact/

We encourage anyone concerned with the impact of security issues in Red Hat products or community projects to continue to notify our Security Response Team at: secalert@redhat.com.

Aaron Darcy
Director, Product Line Management
JBoss, a division of Red Hat

I was disappointed by this article and CIO because I expected more thought given to articles on a site inspiring technical leadership. Unfortunately this fear-inspiring article was blasted across the IDG sites (Cio.com, ComputerWorld, CSOonline.com, InfoWorld, NetworkWorld, PCWorld) and likely others and the author failed to note or address specific points.

Larry Suto, the consultant in the study, has undertaken this same drama before: he performs some analysis and then releases a scare into the IT world. He published a study last October on web application security scanners. A response on HP's website, as well as other comments sprinkled throughout the Internet, indicate that attempting to recreate the study resulted in a discrepancies in the results. I am sure he enjoys the publicity from these marketing events: it's a shame the IT world does not consistently hold studies to the same scrutiny as the scientific world. Or perhaps they do and we only have the media to thank for the scare.

One blog noted that the Fortify story did not say that companies should not use open source because all open source is a security risk. As the blogger notes, "But that's how lazy reporters played it."

Likewise, one must wonder how much this has aided Fortify's sales. They are a security company and certainly the study is a great marketing tool. As a different blogger stated, "When reading vendor-sponsored studies consider the source."

The article's points on the need for a security contact and a development process with security throughout are excellent points. However, this need is not isolated to the open source world: even formidable Microsoft who announced they were implementing much stricter security controls in their development process continues to have security issues crop up in all aspects of their operating system and applications. All the world rejoiced--yet they still have security problems. Security isn't simply a magical silver bullet whether a developer is commercial or FLOSS.

One missing point about the open source project's security problems is that, since the applications are open source, if any individual or corporation discovers a flaw, they can patch their copy--no questions. They can protect themself and then let the world know. Can't do that with Fortify's software nor Microsoft.

I do not intend to get into a point-by-point "fisking" of this article. I simply want to ask that CIO.com gives their readers more thought-provoking, leadership-inspiring writing.

Poor article. Same old lack of understanding of open source. If you want to pickup a phone and call someone, then you need a support contract with vendor.

Keep in mind CIO needs ad revenue from somebody... ;-) How many Microsoft and other security ads did you see? Nice to see you people have a sense of humor in your articles.

This article tries to make a very strong statement with very weak supporting details. Any details such as the number of sql injection vulnerabilities are just clouded up and don't mean anything. Also, security "best practices" really doesn't mean anything. You need to have a standard against which you're comparing commercial and open-source, if you're going to try and make that case.

Again, CIO's reporters approach the question of open source with a commercial software mindset. They look at IT solutions with one underlying assumption, that is, that the IT staff is too unskilled or stupid to actually do anything but read a manual.

Open source is predicated on contribution. You find a bug, you help fix it, you contribute. A wonderful model, when it works. Too often though, commercial companies sit on their collective hands, waiting for someone else. Ohh, they complain, where do I get support? Hey, you, CIO, why not turn off that PowerPoint presentation and look out in your IT staff? Oh yea, you fired all the people with experience, and instead farmed it all out to a bunch of under-skilled, overseas labor. How's that working out for you, Sherlock?

For those of us who understand the open source model, we don't need to call someone when we find a bug. We actually go in and help fix the problem, contributing back to the community. Far too often, it's the commercial companies that waste my time, saying they'll have a patch later. Tick tock, and it's 6 months later. With an OS package, if it's a critical patch, I don't have to wait. Stop, read that one again...I don't have to wait.

So, if you want someone else holding your, well, IT jewels hostage, go buy a commercial package, pay the teams of consultants to install it, pay the extra 20% for enterprise support, and see what you get. Me, I'm just going to open up the code, find the problem, and patch it myself.