& cplSiteName &
Comments
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
sj0350
sj0350
7/20/2018 | 1:53:42 PM
Re: Open sourcery
The "many eyes makes bugs shallow" and the "large scale of deployment implies safety" arguments are not automatically safe, which is something that many adopters of FOSS fail to appreciate.  Your typical complex piece of software is going to have, for example, a few dozen FOSS packages.  Some of them are popular projects and have a lot of eyeballs.  Some of them are not fashionable and have only a few.  Moreover, its quite possible for packages in the latter set to be very widely deployed, so then you have something that is all over the place but that has not really been vetted very much.  The issues with OpenSSL are an excellent example - once the OpenBSD team started really looking at OpenSSL in the aftermath of Heartbleed, they were horrfied by what they found.

That doesn't make FOSS bad.  It just means that using it is not a substitute for doing due diligence on the code.
brooks7
brooks7
7/20/2018 | 12:34:59 PM
Re: Open sourcery
I think the challenge in Open Source is that there are multiple contributors and it is not always clear what they did.  Depending on the Open Source project, you can have various levels of review prior to release.  

For example, we brought in a new version of openSUSE and our product would no longer boot up.  This was caused because somebody thought it would be cute to have Penguins march across the screen during the startup sequence.  However, we were a server without a monitor attached and this caused the systems to hang.

I am using this as a simple and obvious example of what can happen.  It means whenever you bring in a new revision of OS that you need to treat it with the same skepticism as that from your own team.  There are tools that will auto-update OS on a platform and help deploy it.  I would argue that nobody should use them.  For a networking product, you need to fully vet and test every version that you get.

Now saying all that, it has nothing specific to Huawei.  I have no idea what their internal OS processes are like.

seven

 
James_B_Crawshaw
James_B_Crawshaw
7/20/2018 | 7:54:54 AM
Open sourcery
Is Huawei alone in failing to "manage third-party components, including open source code"? Open source is supposed to be safer than closed code because there is more transparency and more good guys looking out for vulnerabilities. I think the problem comes when you stay with an old version of an open source project that isn't patched.

There are plenty of cyber vulnerability tools out there to help mitigate these risks. Checkmarx and WhiteHat stood out for me. Others worth considering include Fortify, Grammatech, Insignary, Rapid7, Synopsys and Veracode (soon to be part of Broacade bizarrely).


Featured Video
Upcoming Live Events
October 1-2, 2019, New Orleans, Louisiana
October 10, 2019, New York, New York
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3, 2019, New York, New York
December 3-5, 2019, Vienna, Austria
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events
Partner Perspectives - content from our sponsors
Why Are Governments Around the World Subsidizing 5G?
By Paul Zhou, FromGeek.com, for Huawei
Edge Computing, the Next Great IT Revolution
By Rajesh Gadiyar, Vice President & CTO, Network & Custom Logic Group, Intel Corp
Innovations in Home Media Terminals for the Upcoming 5G Era
By Tang Wei, Vice President, ZTE Corporation
All Partner Perspectives