Observations from this year’s NSA Open Source Industry Day

What wasn’t surprising?

– Organizations are looking for an open source savior. They are looking for someone or something to hold accountable. They want “a single throat to choke.” They are conditioned to think this way based on the historical support they receive from ISVs that license proprietary software. And now, they turn to vendors like Red Hat for open source infrastructure software support. But that model doesn’t work for the hundreds or thousands of open source components that are sourced from different projects or forges. A new model is needed.

– Open source = Linux, MySQL, JBoss. When people think open source, they think large infrastructure software—they don’t think of the open source components that are used to build applications. Many are not aware or planning for the fact that 80% of an application is comprised of open source components. Until they accept this reality, it will be difficult for them to implement the processes necessary to secure component-based applications.