Recently I read a survey done by the Forrester Research that claimed the majority of IT professionals are concerned about open source security. Jack Wallen decided maybe it was time to ask a few questions of Forrester and give them an analogy they can understand.
Really? Did I wake up this morning only to find that Dr. Emmett Brown successfully teleported me Back to the Future with his Delorean? Or are the majority of people polled by Forrester that clueless and is Forrester that irresponsible?Let me break it down for you. In two reports done by Forrester ("The State of SMB Software: 2009" and "The State of Enterprise Software: 2009.") of the 2,227 people polled:
- 58% of large companies had security concerns about open source.
- two-thirds of small to midsized businesses had security concerns with open source.
- 9% of enterprises said they were "very concerned" with open source security.
- 45% of small to midsized businesses were "very concerned" with open source security.
I would like to ask both Forrester and those polled a few questions myself. To Forrester I would ask you:
- "Who is funding these surveys?"
- "Do you know anything enough about open source yourself to actually create a fair poll?
- What's with the large change between enterprise and SMB in the "very concerned" category?
To those polled I would like to ask:
- "Have you ever tried open source software?"
- "How's the security of your closed-source apps working out for you?"
I find surveys and polls of this nature very irresponsible. A headline such as, "Companies still concerned about open source security." tells the masses one thing: open Source software isn't secure. Now we all know that the vast majority of open source software is secure (not all of it, but most). Some open source software is far more secure than it's closed source counterpart. For those of us who have used both types extensively, those results raise red flags.
As yourself this question: If open source software is so much less secure than closed source software, then why does open source software not need so many third-party applications to secure it?
Another question for you to ask: If closed source software is so secure, then why is it that Microsoft, Norton, AVG, McAfee, etc. have to constantly update their security definitions to keep offending software out?
I want to use an analogy here (because now is a good time for one and because I like them). The analogy I will use is ye ole castle. We'll examine both open source and closed source ye ole castles.The open source castle: This castle is built solidly. It's pleasant to look at, it works, it's been standing for years, never offends anyone, and has few enemies. But when that rare enemy does come to attack they quickly find very few ways of breaking through, or getting in. The walls of this castle are too strong to break. There is no moat keeping them from getting to the walls (the builders assumed the castle strong enough not to need such a thing.) And so the open source castle just remains untouched. Oh, and anyone who wants copies of the castle blueprints can have them free of charge. The closed source castle: This castle is very appealing. Its design leads the dweller and the citizens to believe the owner is very intelligent and very wealthy. When this castle was first built it had no moat. But over time the owners of the castle developed a number of enemies and the castle quickly revealed it had many weaknesses. Doers of bad things were able to come and go as they pleased it seemed. And so the owner of the castle doth bid his groundlings to build him a moat in order to keep out the ne'er-do-wells. At first this moat did a grand job of keeping out the riff and the raff. But over time said riff and raff built boats to get across the moat and the wrong doings commenced again. And so the owner of the castle filled the moat with deadly creatures. And so on and so on with the same results. Oh, and anyone wanting blueprints of the castle must be a member of a very elite group and pay a very hefty tax.
You get the picture. And just why the analogy? Sometimes I feel like the masses (including those masses that report "findings" as Forrester did) haven't the slightest clue what open source software really is and what makes up its security. To those people it takes such a simplistic analogy to get them to even understand the difference between open and closed source software.
I remember back in the late '90s how Gartner was found of lambasting open source software at every turn. And almost everything they claimed about open source was wrong. They said open source would fail as a server OS. Wrong. They said open source couldn't gain any traction on the desktop. Wrong. They said the security model of open source was flawed. Wrong. They said open source would damage the market. Wrong. Gartner needed a serious dose of castle analogy. Gartner eventually realized their folly and acknowledged the value of open source software.I am not, in any way, saying the closed source software is bad. In general, it's not. I even use some proprietary software. What I AM saying is that until you have actually tried open source software you shouldn't be making such claims. I have used Windows in nearly all of its iterations. Although I have found it to be useful at times, I have had enough bad experiences with it to say, for me, it is not secure and reliable enough for my needs. As for your needs - I have no idea what they are, so I can't say open source will fit the bill. But if open source will meet your needs, I can say that most likely it will meet your needs much better than closed source software will.
I think the media (this includes survey groups and focus groups) needs to be responsible for their claims. As a whole, the masses actually take the opinions of these people seriously. Because of this, claims like "Businesses in North America and Europe remain broadly worried about the security of open-source software...." should include one of two things:
- A big * indicating that those polled may not have ever given open source a try.
- Who is funding the survey?
To that extent, maybe its time a fund is started within the open source community to pay for "research studies" that indicate such claims as "Majority of IT professionals say open source software is superior, in all ways, to its proprietary counterpart." Of course the biggest difference between this study and the other study is this study would come with a disclaimer saying:
"This study is protected by the GPL and can be modified, used, re-purposed, altered, sold, shredded, mocked, used as papier mâché, so long as the original source is included with any changes."
On a final note: If you go to the Forrester Research web site and do a search for open source software you will find plenty of surveys that extol the value of open source. So what gives? Why speak out of both sides of your mouth?