Since I started my blog and subsequently joined the Security Bloggers Network (see the side panel), I have been following a number of stories posted by other blog members.
Ok, two debates on SSAATY - open source and NAC. I have my opinion on each and here goes:
Alan contends, and I agree with him to a point, that users shouldn't be concerned with the making of software -ie, is it open source, commercial, closed, powered by little rodents, etc. They should only make sure that the software does what they want it to. And I agree to a point.
However, we are security people and we deal in risks and mitigation. Using closed source software does present one with certain risks that open source software does not and that is: what happens if the product is discontinued.
I have seen companies spend millions on closed source software only to wind up with a solution that can not be upgraded or changed. There are some programs that only run on dos and are so closed and so important the company lives with this outdated operating system. I'm not picking on DOS, think of all the proprietary financial systems that had to be quickly fixed or rewritten for Y2K on Unix. A proprietary system that at least has published and open standards (preferably industry-wide standards) would mitigate this risk to a point.
An example that just popped into my head is Internet Explorer. I know of an IT company that has built its entire way of working around an Intranet site. Good for them but they used IE6 specific "features" in the website and it doesn't work with IE7. Had they stuck to standards they would have no problems but they didn't.
You may argue - but Open Source and Open Standards are not the same but Open Source they usually go together whereas closed standards are usually in place to protect market share and don't work very well with Open Source software (where the standards are open as soon as the code is read and analyzed).
To Be Continued.