back to article Nearly one in two industry pros scaled back open source use over security fears

About 40 percent of industry professionals say their organizations have reduced their usage of open source software due to concerns about security, according to a survey conducted by data science firm Anaconda. The company's 2022 State of Data Science report solicited opinions in April and May from 3,493 individuals from 133 …

  1. karlkarl Silver badge

    Open-source or not, this is surely an obvious choice.

    Seeing projects (typically web) pulling in hundreds, if not thousands of dependencies from PIP, CPAN, crates.io, NPM, etc always makes me cringe.

    Did anyone ever think this was not going to result in a security issue (and other technical debts). Especially in network related software it seems particularly mad.

    Maybe open-source is getting a bit of flack because this kind of development style is less common with proprietary software. No language based package managers just for close-source for example.

  2. Howard Sway Silver badge

    "open-source software is deemed insecure, so it's not allowed" (28 percent)

    Presumably that 28% are quite happy to run Windows, the most insecure enterprise OS of all time. As well as, of course ,myriad cloud services and web technologies, all built on open source software.

    As for "data science", the definition of what this actually is appears to have expanded to mean "IT" - I have fortunately not yet encountered an "enterprise data scientist", but I'd be willing to bet 50p that they can't even tell me what a tuple is, or judge whether my schema is in Third Normal Form.

    All this survey has done has asked whether this open source thing that was discovered to have errors in it might have put some people off other open source things, because they might have errors too. Obviously people get worried when they hear of problems and would like to avoid them. But the idea that the solution is to only use proprietary software instead, implying that it never has problems, is laughable.

    1. Anonymous Coward
      Anonymous Coward

      Re: "open-source software is deemed insecure, so it's not allowed" (28 percent)

      Of course, it's laughable but you can always sue a proprietary vendor.

      1. pc-fluesterer.info
        FAIL

        Re: "open-source software is deemed insecure, so it's not allowed" (28 percent)

        really, can you? Did anybody ever sue M$? Or Apple? Or Oracle? Or ... (you name it)?

        1. jake Silver badge

          Re: "open-source software is deemed insecure, so it's not allowed" (28 percent)

          "Did anybody ever sue M$? Or Apple? Or Oracle? Or ... (you name it)?"

          Oh, sure! All the time. But not with any degree of sincerity.

          Lawyers always read the fine print first.

  3. Anonymous Coward
    Anonymous Coward

    Sounds odd to me

    We use open source and had no issues with the log4j, but I know of several instances of log4j issues all with proprietary paid for software using log4j and obsolete versions of other projects embedded in their apparently close source software.

  4. Grumpy Rob

    Clickbait title

    I must say that I think the article title is clickbait - but then that's becoming more and more common these days. Sigh.

    And I think the biggest security problem facing IT departments, well in Australia at least, is a shortage of people with IT skills. Doesn't really matter if it's open or closed source software - some clown will screw up the configuration and leave security holes. A friend supporting some software at a large semi-government organisation was gob-smacked when their outsourced Linux support person didn't know what logrotate was, and asked him how to install and use it. With that level of (lack of) knowledge how can you expect any thought to be given to security - they don't know what they don't know.

  5. Red Eskimo

    Nearly one in two industry pros retained or increased open source use over security fears

  6. Adair Silver badge

    Entropy

    Clearly the entropic principle is alive and well regarding the historic progress of institutional competence.

  7. BOFH in Training

    Real security professionals

    Should evaluate every tool or software on it's own merit.

    I don't think they are supposed to use a broad brush and assume all open source or proprietary software is good or bad.

    And having appropriate process for patches, tracking security issues, etc. If they only know of an issue after some publicity or mass hacking incidents, I will rather not have them around cos they may be worst then not having them.

    People may think they are secure cos they got official "security professionals" taking care of things, when they are totally open and easily hacked cos of the level of skills of the so called "security professionals" on staff.

    So now am wondering if they are real "security professionals".

    1. rnturn

      Re: Real security professionals

      It's not just OS security that's the problem. Years ago, I wound up discovering that the consultant that installed and did the initial setup of an enterprise batch processing system set it up so that all jobs ran as the application superuser. Apparently this "expert" had failed to read the fine manual about how to control access to batch jobs. The way it had been set up made it possible for anyone who logged in -- say, to restart a failed reporting job in the middle of the night -- to accidentally kick off a job that should only have been run by the DBAs. The fix was fairly simple and could have been implemented during the next scheduled downtime but was put on the back burner---indefinitely. One of those things that makes you go home and update one's resume.

  8. SJA

    Log4J

    IIRC log4j worked exactely as documented - the main problem was, people would not bother to RTFM and/or try to understand it. Also it's quite a mystery to me, while people seem to believe a black box is safer then OSS.

  9. MattPDev

    Happens here

    I work for large multinational defence company. Our open source usage is restricted without a very good explanation (corporate said no is all you get).

    I asked for Vim, denied as Notepad++ and VS Code are apparently the same. So I downloaded the Vim plugin for VS Code.

    I do get it to the point that open source needs to be managed. As someone else mentioned though, we are all Windows and Office everywhere. Frustrating!

    1. pc-fluesterer.info
      Happy

      Re: Happens here

      easy explanation: FOSS doesn't contain the backdoors required by state agencies ...

  10. localzuk

    Open Source isn't the problem

    As far as I can tell, the fact that is open source or not doesn't seem to be the problem. What seems to be the problem is lazy developers relying entirely on infrastructure outside their control. Building software that pulls packages from third party package management systems without any scrutiny of those packages etc...

    If organisations move away from open source software to proprietary software, but still maintain that lackadaisical attitude to software providence, they will still be facing problems further down the line...

    1. Anonymous Coward
      Anonymous Coward

      Re: Open Source is the problem

      Without money to be made, more and more software delivers just the basics, and then everything else is demanded to some external library developed by that "guy in Nebraska". Once IDE and compilers came with extensive libraries - i.e. including database connectors. Then today you just get a language, a few basic libraries, and everything else you have to download it from somewhere.

      Also, that makes almost impossible to write and sell extensive and curated libraries - you will be undercut by some free piece here and there - because you can't compete with free. And most open source users won't give a dime in return. Why a lot of open source projects are changing their license to be paid if used in a commercial environment?

      So actually, we're getting what we pay for...

  11. jake Silver badge

    Has nothing to do with the source license.

    The two biggest problems in IT security today are the same as they have been for the half century or so that I've been making money in the IT world, and probably go back to the dawn of time.

    The first is convincing management to throw enough money (resources) at the problem to have the correct hardware for the situation ... AND the staff to run it properly.

    The second is the big problem ... over 95% of the userbase is incapable of wrapping their tiny collective hive mind around the concept of security.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like