Response team boosts open-source security
OCERT steps in to help bridge the communications gaps
PC World - IT managers often assume that open-source software is more secure than proprietary commercial software. Anyone who uses open source can examine the original code to spot any lurking vulnerabilities, and potentially even fix the vulnerabilities themselves. With proprietary software, you have to trust the vendor to do it all for you.
But open source's supposed security advantage assumes three things: 1) someone is actually looking at the code, 2) security vulnerabilities are getting reported and fixed, and 3) information about those fixes makes its way to Linux distributors and other software vendors, which apply the fixes to their products. But what things aren't happening? As a customer, how can you be sure?
A new initiative aims to help. Founded in March, Open Source Computer Emergency Response Team (oCERT) was specifically created to act as a clearinghouse for security information about all kinds of open-source software.
Say you're a small open-source project -- maybe you only provide a library of code that's used in other larger applications. As a two-person effort, you don't have time to contact everyone who uses your code to let them know about a recent security flaw. That's where oCERT can step in to alert everyone. Similarly, large Linux distributions, which incorporate hundreds or even thousands of different open-source projects' code, can work with oCERT to make sure all the holes get plugged in all the right places.
Open-source users can help the oCERT effort, too, by reporting security incidents. If you're a business that is experiencing a potential software exploit, oCERT can offer reliable security contacts in the open-source community that can help you plan and coordinate your response.
In keeping with open-source tradition (and open-source budgets), oCERT is a volunteer effort, and it provides its services free of charge. The team's operating costs are underwritten by corporate sponsors -- most recently Google Inc., which posted a detailed summary of why this effort is so important to a blog on Monday.
All in all, oCERT sounds like a worthwhile project that will provide a valuable service to the community of open-source vendors and customers. Let's hope it wins enough support to sustain itself for the long run. (That name might be a problem, for starters -- CERT is a trademark of Carnegie Mellon University.)
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Benefits of IBM: The Savings of Open Source Download Now
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Open Source White Papers | Webcasts