Hernan seems to think that Microsoft produces secure code despite the
established fact that Microsoft after many, many, many years of
developing Windows still has to issue patches for security flaws every
month.
Microsoft has made many moves toward open source in the last year, which I have covered extensively at ZDNet. (Picture from Wikipedia.)
It has had its own open source licenses approved by the Open Source Initiative. It has built a fine open source repository called CodePlex and worked to separate its fate from that of the parent company. It has even released a lot of open source code.
But closed source remains a sort of state religion at Microsoft, as I learned this week from Fred Trotter, an expert in open source medical software.
Fred wrote this week about some FUD (Fear, Uncertainty and Doubt) Shawn Hernan of Microsoft is spreading within the security community — that open source is less secure despite its being visible.
Hernan’s argument is that many open source communities are very small. Just a few people may be working on the code, and few may be looking at it. If that program has wide distribution, it may in fact be less secure than one brought out by a large, proprietary company with dozens of programmers assigned to it.
Fred adds another inherent advantage Microsoft holds. “They can pay developers to follow procedures that ensure high quality code and they can pay some developers to do nothing but professionally audit code.”
Small open source projects can’t do that. But neither can small proprietary companies.
Let’s apply this to health IT, shall we? Hernan argues that one should go with the largest solution providers, those with the longest track records, and avoid the new because it lacks the programmer heft to assure security.
OK. Guess that lets out Amalga, Microsoft’s relatively-new hospital management system. Best to stick with McKesson or Cerner. Both are big companies that have been in the market far longer.
For that matter, forget any new vendor, not just open source. And come to think of it, hasn’t the VA’s open source VistA been around longer than any of the commercial vendors?
D’oh!
Hernan’s argument reminds me, at its base, of the machinations Ptolemaic “scientists” went through for many decades after Copernicus, trying to explain planetary orbits that seemed to “turn around,” which Copernicus concluded meant the Sun, not the Earth, was at the center of the solar system.
At some point, the defense of any failed intellectual point can become practically religious. Don’t confuse me with the facts.
The best open source projects are going to have well-managed teams at their heart, and they are going to have loyal communities that will report bugs. They will also have a system for distributing updates that assures unpatched software is retired.
Same with closed source, only with fewer eyeballs on the code, and with fewer having the power to patch code, progress may be just a bit slower. That’s just simple number theory at work.
There is danger in Hernan’s argument, of course, and it’s danger aimed at Microsoft itself. Any tech company is, at heart, a collection of engineers. And engineers should only be involved in religious arguments on their Sabbaths. During the week, let the data do the talking.
