this is why I’ve side eyed any federal document about software #security, quality, or #resilience that demonizes open source software while touting the virtues of commercial cybersecurity products

as if those products aren’t notorious for deep access + flimsy quality…

I’ve written about this concern in two separate RFIs to CISA et al (with co-conspirator @rpetrich)

1) on OSS security https://kellyshortridge.com/blog/posts/rfi-open-source-security-response/

2) on secure by design https://kellyshortridge.com/blog/posts/rfi-secure-by-design-response/

#crowdstrike

Open-Source Software Security RFI Response from Shortridge Sensemaking LLC

This blog post describes our response to the RFI on Open-Source Software Security and links to the response PDF.

^{Sensemaking by Shortridge}

^ In our RFIs, we note that commercial security software is often a boon for attackers given its deep access + poor quality

indeed, much of it resembles malware in functionality.

in the #Crowdstrike case now, it’s poorly written malware. “Skidiot” shit, as a friend would say…

For all the ballyhooing about open source, why don’t we take the security of commercial security software more seriously?