THAT “PROPRIETARY” THING MIGHT MAKE SENSE: It’s now becoming apparent that the Equifax security breach was made possible by the use of open-source code, and while the company knew about the vulnerability, it might not have patched it properly. This is a bug, not a feature of open-source:
There are a number of reasons why companies don’t move quickly to install fixes for their open-source vulnerabilities, said [Lou] Shipley [of Black Duck Software]. There is the pressure developers feel to get products to market quickly, and he said that pressure intensifies as more of the world’s business relies on software to be transacted.
Another reason is, unlike software from companies such as Microsoft, Oracle or SAP SE that send notices of when new patches and fixes are available, there are no notices sent with open-source software updates, he said. Companies go through an evolution of whether to retire some apps and when to do so, and some do a better job than others of staying on top of this task, he said.
One of the people who is hopping mad over the Equifax breach is Sen. Elizabeth Warren, who wants to hold Equifax executives accountable, which is all well and good. Corporate executives who mess up should be punished by the market and by the law if they were negligent to the extent that people are harmed. But there’s currently a provision in the NDAA to force the DOD to use open-source software in all new technology.
Who is the author of this provision? Step forward, Senator Elizabeth Warren.