Modern Middle Manager
Primarily my musings on the practical application of technology and management principles at a financial services company.
In-House Entrepreneurial Activities

Friday, December 13, 2002  

Running an information services department, no matter the size, means dealing with giant maintenance eyesore, sometimes on a daily basis -- software patches. Especially security patches. Even more so for Microsoft products (God bless Jim Allchin) -- although open source and other popular proprietary systems are hardly bastions of security. As bad as this is, there are far worse problems businesses face that require security procedures and processes in place to keep "in-house entrepreneurial activity" from occuring.

Security is more than rummaging through code and looking for unchecked buffers. Security is about business processes. It is not just a comprehensive trusted computing environment provided by controlling the desktop as tightly as the Department of Justice will allow. Although I think I understand what Microsoft wants to accomplish, I'm not convinced that Microsoft has the security mentality needed to re-evaluate security. How else to explain how so many bugs are created in their software and how an employee can abuse internal procedures to the tune of $9 million? Where are the controls, the double-checking/reconciliation, the dual-custody if necessary? Are they truly looking beyond the desktop to the entire business environment -- apart from attempting to lock businesses into their solution, of course.

It seems to me that open source development, by way of its collaborative nature, is less likely to see security as a whole than a single vendor or consortium of vendors. However, the security mindset is a meme -- get a few people thinking along those lines in major open source projects and the meme spreads, infecting positively the habits of developers and their project managers. If that basic change occurs and includes the additional question, "How will this software be used?" along with the usual, "What should it do?" then information services departments can only benefit and hopefully avoid ridiculous security problems in the future.

posted by Henry Jenkins | 12/13/2002 04:23:00 PM

Comments: Post a Comment
the author
open source