A colleague of mine is very frustrated with his campus IT people just now.  The library would like to run MediaWiki, but the campus IT boss will have none of it.  “It’s open-source, and open-source is insecure,” he claims.

I have a big communications gap with such people–we might as well not be speaking the same language, because we have no common frame of reality to work from.  This individual just doesn’t realize that, like high-fructose corn syrup, open source is in just about everything these days.  This particular institution is using Apache, for instance, for all of its’ web servers.  The journalism department standardized a year ago on MacBooks and iMacs (which run OS X, which has lots of open-source bits at its’ core).  And yet, a huge percentage of their security-related helpdesk tickets relate to security problems on Windows Server instances.  Go figure.

It’s been contended before, and I agree, that open source software is inherently more secure.  In a closed-source project, the only white-hats that are looking at the code work for the project, while the number of black-hats is effectively limitless–and in fact, the bad guys take it as a challenge, I suspect, to try to hack at those programs.  In LibLime’s open-source world, the number of security-positive, well-trained people that are looking at the code, finding and fixing problems, is also not artificially limited.

But the head-in-the-sand IT boss persists: “But then, everyone can see the vulnerability!”  What he’s ignoring, clearly, is that anyone can fix the vulnerability, instead of having to wait for the vendor to come out with a patch.   Maybe we’ll never get through to some people.  But they’ll retire, eventually.

What about you?  Find an open source project that does important things for you, and support it.  Even a little help, with documentation, say, or even a little bit of code, or testing it out on a platform that the developers haven’t got access to, will help that project move along, and is greatly appreciated by the project team.  If you’re not equipped to do that, just send the team a note, and let them know you’re using their work.  They’ll appreciate that, too!