In my career so far I’ve managed to meet lots of companies who have absolutely horrible business practices when it comes to security. Usually the problem is either a lack of technical staff skilled enough to secure things properly, a lack of support from management, or both. Either way the result is more open doors than are best for business. The other thing I’ve noticed is that companies who don’t take security seriously also tend to have crappy products. I guess those who are more concerned with the sale of their product than the quality of their product are not likely to care about security either.
It’s things like this that continue to push me further and further away from commercial software. The open source community takes the quality of their product very seriously, and they also take security seriously. I think often times it’s the open source community that sets the bar on how best handle security related issues. Take the recent security issue with a portion of Gentoo’s infrastructure. I’ve read a bit of bad press regarding the issue, but from my perspective the Gentoo infra team `set yet another example of how things should be handled. I think businesses large and small would benefit greatly from following the example of Gentoo and other open source organizations that take security seriously.
Well done Gentoo.