In the post, the author makes the following interesting comment:
Even if you want to have reasonable certainty that suppliers take reasonable care in how they build their products – and there is so much more to assurance than running a scanning tool - there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or “good code” seals) like Common Criteria certifications or FIPS-140 certifications. Most vendors – at least, most of the large-ish ones I know – have fairly robust assurance programs now (we know this because we all compare notes at conferences). That’s all well and good, is appropriate customer due diligence and stops well short of “hey, I think I will do the vendor’s job for him/her/it and look for problems in source code myself,” even though:
- A customer can’t analyze the code to see whether there is a control that prevents the attack the scanning tool is screaming about (which is most likely a false positive)
- A customer can’t produce a patch for the problem – only the vendor can do that
- A customer is almost certainly violating the license agreement by using a tool that does static analysis (which operates against source code)
Now what's interesting here is this: the three bulleted items above are three very precise and accurate reasons why you should stop using closed source software!. I suppose the author of this piece thought they were being cute or glib by insulting their customers. Instead they laid out - in precise detail - exactly why their customers should drop Oracle products and switch to Open Source solutions. Because, with OSS:
- The customer CAN analyze the source code as part of their security audit process, and compare the actual code with the results from scanning tools
- The customer CAN create their own patch, and test it, and - since they probably don't want to maintain a forked version indefinitely - contribute it back upstream, where it benefits the entire community.
- The customer is NOT violating the license agreement by running static analysis tools (or, indeed, an other tool) against the code.
Of course the exact details of what you can and can't do with OSS code varies according to the specific license in use. In our case here at Fogbeam, we're proud to say that almost everything we do is licensed under the Apache License v2 - a very "business friendly", permissive license that gives you, the customer, tremendous freedom and security.
Let me end this by saying "Thank You, Oracle. Thank you for helping explain to the world, why they should quit using your proprietary, closed-source, business-hostile products, and switch to Open Source instead."