Richard Bucker

Being cyber violated

Posted at — Jan 30, 2013

Sitting here and looking at OpenResty and Nginx I cannot help but think about the latest Java security exploits. There was a time when you could buy a program off the shelf and if it did not live up to expectations or there was a genuine problem with it that you could return it and in some cases there was an expectation that you could litigate for damages (as evidenced by the many variations on the software license agreements). When you pay for software there is a certain expectation as to how it’s going to perform. So even if you get past that… what happens when the vendor intentionally or unintentionally delivers software with bugs, backdoors, exploits, data leaks, trojans, phone home?What will happen to the first company that does this on purpose regardless of the license agreement? Are the licensing fees earmarked to pay for R&D, sales and marketing… or a lawsuit war-chest?So as I look at Nginx and OpenResty, which have their origins in Russia and China, while these are opensource applications they do not get the level of code/peer review that I would expect for former hostile countries. But then what are the options when the commercial alternatives are so expensive?If someone is listening… there is a market for a commercial package library. One where the code is reviewed and cleanroom packaged.