[By Jason Norwood-Young]
Late last year, I was asked to audit some software that had been developed overseas and bought by a large SA company to launch a new consumer website. It all looked pretty straightforward, until I noticed a strange line in the code: every time a new subscriber signed up, the software would forward this information to a mysterious IP address.
Clearly, someone working on the code had decided to do a bit of information mining. The combination of full name, address and e-mail of all the users of this site could be sold for a pretty penny to spammers. The site also accepted and processed credit card payments. Whoever engineered the malicious code had missed a golden opportunity — it would have been just as easy to steal credit card details, complete with expiry dates and security codes.
All the while, the customer would have had the false sense of security from the little lock in their browser, since this “hack” would not have interfered with the secure session established between themselves and the website.
There are only two ways that this potential theft could have been detected before the website went live. The first would have been fairly technically complex. We could have set the site up in a controlled environment and examined all the information sent in and out of the system. It would have been time consuming in the extreme, have required a great deal of technical expertise and would not have been 100% guaranteed.
The second way would be for someone to read the code, which is how we found the problem. For this to happen, we required “open-source” software – software where the code is clearly visible, and in this case editable. Not only could we detect the problem, we could fix it. The site still went live, without the security issues.
These are two reasons that as an IT buyer I lean towards open-source software. If there’s a problem, I can identify it and fix it. That doesn’t mean that I audit every piece of software that I run. There aren’t enough hours in the day. But I’ll often dive in and have a quick look around before committing to certain software. Poor coding styles and obvious unnecessary outgoing links should ring alarm bells.
Equally, it’s why I distrust proprietary software. I don’t know what it’s doing most of the time, and I assume the worst. I also don’t see the need to guard the software so closely.
An important element of open source is that is never gives up software copyright. All it does is gives me permission to view – and usually edit – the source code. (You also get “free” open source but it’s not as socialist as the proprietary software companies would have us believe.)
Proprietary software is like buying a car that comes with the bonnet welded shut. To check your oil or water levels would require a trip to the manufacturer, and a fee to go with it. Their biggest concern is that, should I see the engine, I would immediately go and create my own car from scratch.
Even though I can open my car’s bonnet, I really haven’t the first clue what most of the stuff does. I don’t have the expertise, skill or inclination to attempt to recreate a car. I trust that my car manufacturer knows how to build an engine, and car, better than I can.
Likewise, I assume that Microsoft or Apple know a lot more about building operating systems than I do. And yet they insist that the bonnet be welded shut.
I use the Apache Web server extensively, and it is open source. I can see how they built it and make my own Web server, but I’m not going to. Apache dominates the Internet, used on more than 60% of the top servers (and rising), compared to Microsoft’s 17% (and dropping). (See Netcraft for the latest figures.)
In the cloud
Those who don’t see the relation between the Internet and enterprise software will not like the next five years. There’s a shift to using Internet technologies such as Flash and HTML5 for enterprise applications, and simply outsourcing large portions of traditional infrastructure to the Web.
- Jason Norwood-Young is CEO of 10Layer, building the tools news publishers use to publish. A recovering journalist still struggling with geekiness, he’s also been technical manager at the Mail & Guardian Online, technology editor at ITWeb and deputy editor at Stuff magazine.