Slashdot response: How To Argue That Open Source Software Is Secure?

This question was recently posted on Slashdot: How To Argue That Open Source Software Is Secure?

Smidge207 writes "Lately there has been a huge push by Certified Microsoft Professionals and their companies to call (potential) clients and warn them of the dangers of open source. This week I received calls from four different customers saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.' Other colleagues in the area also have noticed that three local Microsoft Partners have been trying to strike fear in the minds of companies that respond, 'Yes, we use open source or Linux' when the sales call comes in. I know this is simply a sales tactic by these companies, but how do I fix the damage these tactics cause? I have several customers who now want more than my word about the security of systems that have worked for them flawlessly for 5-6 years, with minimal expense outside of upgrades and patching for security. Does anyone have a good plan or sources of reliable information that can be used to inform the customer?"

Other than the shocking fact that I do, on occasion, still read Slashdot, I posted a response because I have also recently dealt with a similar issue. However, the way I dealt with it actually answered the above question, as opposed to the majority of Slashdot respondents who recommend following the typical geek-party-line by suggesting responses like "laugh at them because they are stupid," "don't waste your time answering", "Microsoft is stupid," "Windows always gets viruses", etc...

I point this out because these sorts of responses are not just typical of the users on Slashdot, but because they are representative of how many, if not most, tech people/geeks handle this sort of situation. The main point is that the attacks focus on some insignificant point that is only tangentially related to the initial question or problem, and completely miss the main point, which, although unspoken, is "How do I make sure the business won't have problems because of this?"

And to answer that question, you must, MUST talk in terms the business can understand. It does not matter if you're a Level 100 programmer with a +5 Magic Wand of Ultimate Debugging, because it's a people problem, not a technical one.

Anyway, the real answer is this:

Companies get audited from time to time. With this in mind, it's easy to make a real argument against these tactics. You can explain to the business people that open source code is constantly audited, and can be audited by anyone and everyone who wants to do it. Companies inherently understand why audits are needed and what their purpose is. (If you don't know why, auditing makes sure that there are no holes in the business processes and that everything is running according to spec). If you explain that it's the same for open source software, they will immediately understand in real business terms why open source software is not the great evil that the salesperson is telling them it is (and that it might actually be better than those other products).

Your answer would have been the first non-nonsense thing I'd have seen on slashdot if I bothered to read it anymore. :)


I only keep slashdot in the rss reader because I just can't keep up with the volume on digg, and slashdot tends to get the better stories that also show up on digg.

I'm not sure why I still read (a few) of the comments.