Sometime you would have to wonder whether logic totally escapes CIOs. In an article making comment on the The Australian Open Source Industry and Community Report 2008 prepared by Waugh Partners, ZDnet put out an article entitled “Open source barred from Australian government”. What I found particularly curious was a comment from the CIO of the Australian Tax Office, Bill Gibson. In it, he says that he “is concerned that open source software could not be as easily scrutinised as proprietary software”. This is probably a paraphrase from an earlier published interview by Zdnet where he is quoted as saying – “We are very, very focused on security and privacy and the obligations that we have as an agency to ensure that we protect those rights of citizens’ information in that respect. So, we’ve continued to have concerns about the security related aspects around open source products. We would probably need to make sure that we will be very comfortable — through some form of technical scrutiny — of what is inside such a product so that there was nothing unforeseen there.”
So how does he “scrutinise” proprietary software? I guess at best, you might be able to get to see the source code, but the license to see is usually going to be under a NDA, and it is unlikely one organisation is really going to have the skills and resources to examine all the code. And even then there are going to be dependendent libraries that you may not be able to have source code access. But in most cases, you will only be able see your software as a blackbox. If you do perform security analysis you will always limited in what you can test in this case. I just don’t see how with a blackbox you can successfully search out all the nooks and crannies with a high level of confidence.
Only with open source code to you, and the “many eyes” out there, do you have the opportunity to truly scrutinise the code. You also then are able to create and receive patches for any found vulnerabilities. Clearly the bad guys have a similar opportunity to review the source, but the evidence overwhelming supports the idea that open source inherently is less likely to have hidden security flaws and is able react to unforeseen attacks with greater rapidity.
I would be really interested to find out who Bill Gibbons has been taking advice from on software security.