& cplSiteName &
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
7/20/2018 | 1:53:42 PM
Re: Open sourcery
The "many eyes makes bugs shallow" and the "large scale of deployment implies safety" arguments are not automatically safe, which is something that many adopters of FOSS fail to appreciate.  Your typical complex piece of software is going to have, for example, a few dozen FOSS packages.  Some of them are popular projects and have a lot of eyeballs.  Some of them are not fashionable and have only a few.  Moreover, its quite possible for packages in the latter set to be very widely deployed, so then you have something that is all over the place but that has not really been vetted very much.  The issues with OpenSSL are an excellent example - once the OpenBSD team started really looking at OpenSSL in the aftermath of Heartbleed, they were horrfied by what they found.

That doesn't make FOSS bad.  It just means that using it is not a substitute for doing due diligence on the code.
7/20/2018 | 12:34:59 PM
Re: Open sourcery
I think the challenge in Open Source is that there are multiple contributors and it is not always clear what they did.  Depending on the Open Source project, you can have various levels of review prior to release.  

For example, we brought in a new version of openSUSE and our product would no longer boot up.  This was caused because somebody thought it would be cute to have Penguins march across the screen during the startup sequence.  However, we were a server without a monitor attached and this caused the systems to hang.

I am using this as a simple and obvious example of what can happen.  It means whenever you bring in a new revision of OS that you need to treat it with the same skepticism as that from your own team.  There are tools that will auto-update OS on a platform and help deploy it.  I would argue that nobody should use them.  For a networking product, you need to fully vet and test every version that you get.

Now saying all that, it has nothing specific to Huawei.  I have no idea what their internal OS processes are like.


7/20/2018 | 7:54:54 AM
Open sourcery
Is Huawei alone in failing to "manage third-party components, including open source code"? Open source is supposed to be safer than closed code because there is more transparency and more good guys looking out for vulnerabilities. I think the problem comes when you stay with an old version of an open source project that isn't patched.

There are plenty of cyber vulnerability tools out there to help mitigate these risks. Checkmarx and WhiteHat stood out for me. Others worth considering include Fortify, Grammatech, Insignary, Rapid7, Synopsys and Veracode (soon to be part of Broacade bizarrely).

Featured Video
Upcoming Live Events
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events