Is Code Auditing of Open Source Apps Necessary?

An anonymous reader writes "Following Sun Microsystems' decision to release a raft of open source applications to support its secure cloud computing strategy, companies may be wondering if they should conduct security tests of their customized open source software before deployment. While the use of encryption and VPNs to extend a secure bridge between a company IT resource and a private cloud facility is very positive — especially now that Amazon is beta testing its pay-as-you-go private cloud facility — it's important that the underlying application code is also secure. What do you think?"

Yes.

[wed128]

Next Question.

Re:Yes.

[Thanshin]

No shit. I don't understand how this got to be a story. What's next, "Should Engineers Who Design Bridges Demonstrate Competency Before Thousands of Automobiles Drive on Those Bridges?"

No.

They should pass an accelerated three month course on how to mix cement, then spend six months mixing cement for 300$/month and then change jobs saying in their CV that they have five years of experience in construction. Only then they're ready to apply their experience to design a bridge.

When the first car goes over it and falls to its demise, they're just have to patch the bridge.

After a couple of years and innumerable patches, the bridge, now essentially a pile of cement over a chasm, will finally stop dropping more than a couple cars per day to the void. At that point, the engineers are ready to find a management position.

Re:It's not even really a question

[jimbobborg]

What's more, since Open Source software lacks any single person you could possibly sue in case things go terribly wrong, it makes sense to mistrust it a priori. OSS isn't magically secure because it is open. It still needs testing and validation if you intend to run it in any serious corporate environment.

I still hear this every once in a while. So my question is, has anyone ever sued Microsoft for loss of data/trust? Have you not read the EULA?