I don't disagree. That is the flip side of the situation. I think what you wrote is true, and what I wrote is true.
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Itschak Mugzach Sent: Saturday, February 12, 2022 11:39 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem' If someone develops code that is vulnerable, only the organization he works for is (potentially) affected and the attacker does not have access to the code to play with. With open source, the code is accessible to everyone, and the problem hits millions of organizations. The problem is not the vendor that makes use of open source, it is the fact that when the vulnerability is discovered, there is a time window until it is patched. And this is only if it was discovered by an ethical bug hunter. This is why I am not impressed (but do appreciate the effort) by the tools David and his company uses. They do their best, but it will not help in case of a zero date and the scale of an open source vulnerability is unlimited compared to a specific local code, bad as it is. The funny thing is that although millions of eyes look at "open source" (as Chrles mentioned) they rarely find the vulnerability in a very common, highly used code (such as log4jv2 that has been here since 2012...). Saying that, open source is here to stay. Just don't wait for the vendor to report on vulnerabilities. Scan it yourself frequently. My two israeli shekels cents (Actually called "agorot"). ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Sat, Feb 12, 2022 at 7:04 PM Charles Mills <charl...@mcn.org> wrote: > Nobody asked me, but I think David buried the most important point in the > middle. I have seen lots of TERRIBLE code written by "engineers from big > tech." That's not the key point. The key point is > > > the code is in the open and can be scrutinized by millions of people > > There are thousands (if not millions) of people, ranging from high school > code nerds to professional security consulting firms, hoping to make a name > for themselves by being the first to spot some vulnerability in Apache, the > Linux kernel, etc. That is an incredible free code inspection service. That > is the key to the security of open source (IMHO). > > You can't say that for most in-house software. You all know what corporate > culture is like. #1 your boss is not paying you to scrutinize other > peoples' code. And #2 if you spot some flaw in Bob's code you keep your > head down, because Bob is such a grump and does not take criticism well. > > And BTW this is coming from someone (me) who is basically a proprietary > software guy. I made my money writing conventionally-licensed proprietary > software. I have never contributed to an open source project. > > Charles > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of David Crayford > Sent: Friday, February 11, 2022 11:39 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem' > > On 12/2/22 4:56 am, Radoslaw Skorupka wrote: > > Well, who said it is not a problem??? > > I do. I maintain that proprietary code has just as many vulnerabilities > as open source. In fact, I would suggest that open source code is better > as the standard of engineer tends to be much higher than your average > Joe coder working for a bank. Also, the code is in the open and can be > scrutinized by millions of people. Who do you think develops open source > software? Is it hobbyists, enthusiasts, students, academics etc? The > truth is it's mostly engineers from big tech who are getting paid to > develop open source. Check out the authors of Apache Commons components > and it's IBMers > https://github.com/apache/commons-bsf/blob/master/AUTHORS.txt. IBM were > the organization that stumped up the cash and resources to develop > Eclipse. A huge amount of Apache open source code is written and > maintained by IBM and it's used extensively in their products. > > > > It sounds like "open source is free of bugs". However I have never > > heard such claim. > > Nobody is saying that. That would be ignorant and stupid. All software > has bugs. > > > > More: companies use some kind of whitelisting open source software. In > > many cases software developer is not allowed to use "fancy, shining > > code" just because there some requirements are on met. It can be > > community, reputation, maturity, etc. > > How can a company whitelist open source software if they purchase a > product from a vendor or IBM that uses open source? As our products are > sold and marketed by IBM we provide them with a Certificate of > Originality which is a bill of materials that lists all of the open > source software (with versions) that we use. We scan all of our products > as part of our DevOps pipeline. There are three types of scans: > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
