Security of open source in a post-Heartbleed world

Posted on by

The open source horse has bolted and organisations must scrutinise their network security to ensure the use of such software doesn't put data at risk.

That was the consensus of IT leaders speaking at Computing's Enterprise Security and Risk Management Summit, which took place at the London Tower Bridge Hilton Hotel.

During a panel discussion on the subject of "Keeping up with the security threats of today: can you future-proof your business?", Computing editor Stuart Sumner asked whether the participants were more doubtful about the security of open source software in the post-Heartbleed world.

"I think it's horses for courses. Open source needs more scrutiny," said Barry Coatesworth, chief information security officer for New Look.

"There are pros and cons. But I think it boils down to what's the habitat, where's the business going, is it cost saving to use open source? So it's swings and roundabouts," he added.

Marc Lueck, director of global threat management at publishing company Pearson, continued with the horse theme, using it to suggest open source is already out there in the enterprise and that it's something that security personnel need to take into account when managing risks and networks.

"I'd add to that using a horse analogy; the stable door is open and the horse has bolted. We don't have the opportunity to change our minds now, we're using open source, that decision is made," he said. "We now need to figure out how to fix it, how to solve it, how to protect ourselves from decisions that have already been made."

However, Ashley Jelleyman, head of information assurance at BT, took the view that no matter what sort of software is being used, it still has to be properly evaluated for security.

"I think the real issue is not whether it's open source or closed source, it's actually about what you do with it and how you actually evaluate it to make sure it's fit for purpose. It's have we checked this through, are we watching what it's doing?," he said.

"One of the things we can look at - whether it's open source or closed source software - is whether it's doing things that are expected, it's about having an eye on not just the software but the whole network around it, it's environment, to make sure you're not seeing shed loads of data disappearing out of your extranet for no good reason," Jelleyman added.

Read the original here:
Security of open source in a post-Heartbleed world

Related Posts
This entry was posted in $1$s. Bookmark the permalink.