Transparency: proprietary software versus open source software
HTML-код
- Опубликовано: 14 окт 2024
- In this Upstream fireside chat, Tidelift CEO and co-founder Donald Fischer sits down with Red Hat VP of Product Security Vincent Danen as he challenges some of the common perceptions about open source software security. By changing how we think about open source security from an exercise in creating “vulnerability-free” software (a compliance-driven exercise) to one where the purpose is minimizing the potential or severity of a breach (a risk-driven exercise), we may actually reduce our security costs and improve our outcomes at the same time.
Watch the full talk here: explore.tideli...
Transcript:
Since this is Upstream and we're talking to a bunch of open source folks, I'm going to use an analogy that I actually came up with last week when we were talking. And it really is about the transparency of open source versus the opaqueness of proprietary software. I look at it as-I brought props, I hope you don't mind-I look at it like this water bottle. I can see precisely how much water is in here. Let's take this as the sum total of vulnerabilities in a product or a project. The bulk of these are going to be low and moderate vulnerabilities. If I look at it, maybe we'll go up to this line here, this is your criticals in your imports, this is the stuff that matters. But I can still see the rest of this, right? So if I'm sitting here looking at it from the “I want my bottle to be empty”-I need to drink all of this, which means most of these lows and moderates don't matter. And that's one of the benefits of open source in terms of transparency.
If we look at it from a proprietary side, it's a little bit like this: it's water too; it's flavored water. But here, when you're looking at it, you have no idea how much water is in here. So I can't tell, are the critical and important ones sitting here? And the rest of this is nothing? Or is a proprietary vendor going to say, “no, no, it's all critical importance.” Maybe I should have gotten a smaller container. Because that's kind of what it looks like. It looks like there's a lot less vulnerabilities on the proprietary side because you can't tell what's there. We have no idea if they're fixing these things and not telling us. They're aware of them and just not fixing them, because they're eh, these are just basically bugs. There's literally no information, right?
Contrasting that to open source where you do have that information. I think that's one of-call it Damocles’ sword. It is one of the benefits of open source that I can see everything, and if there's something in there that I'm uncomfortable with, and I have an actual use case for it, I can go to my vendor and say, “Hey, this thing is actually impactful for me, and could you please fix it?” Or because it's open source, I can take matters into my own hands, and I can patch it as well. Or I know that there's a vulnerability there and I can swap out a dependency or change my code or something like that, based on that. You have options. On the proprietary side, you don't.
![CHILE vs. BRASIL [1-2] | RESUMEN | ELIMINATORIAS SUDAMERICANAS | FECHA 9](http://i.ytimg.com/vi/5ObJt_71AYc/mqdefault.jpg)
If I am an AI Hybrid human (Neurolink) would open source still be my best option?..(◔‿◔)