And I’m of the firm belief that Security by Obscurity is a joke. Having an open model could potentially make it easier to hack, but by the very nature of open source more eyes are looking at the same problem and can find and patch problems much quicker.

However you bring up another distinction that is important to keep in mind while examining this Open Source Software, the difference and relationship between “security” and “liability” of software.

They are not one in the same. In fact, from what you say about the current state of the Core is, “We don’t know how ‘secure’ it is. But we really don’t care cuz we’re not ‘liable.’” Security is NOT the same as liability.

PS. I stared a page on the BarCampBankSeattle Wiki about Open Source Software Rhetoric. Trying to keep track of the distinctions we are making, I guess trying to create a resource for ‘the right way’ to address an OSC.

And your observations of some next steps are right on. Maybe we should chat later this week…

So I propose the research and industry analysis route. Hopefully over the next few weeks I/We can carve out some time to look at the following:

* The difference of Redhat v. Fedora. These two code bases are extremely similar from my understanding, with a major difference being the “support” of redhat. Who choose which and why?

* The contributor base of Firefox. (Is there anyone out there not trying to hack the browser?) How many people do they have and how do they deal with the target on their back?

* A look at Sun and Java. I’m not exactly up to date on everything with them, but I think Sun is in the process of open sourcing Java. Has open sourcing led (or will lead) to more attacks on Java? Has it made Java less secure, all things considered?

* The role the IT security community plays in OS development. A whole industry has cropped up on the premise of finding bugs before the bad guys. (I’m not talking about reactionary measures, these companies are actively trying to find ways to exploit systems in ways no one has before…at least I think they are.) What exactly do these companies do? How do they do it? Does their presence benefit the industry?

* The current state of Core hacking, exploitation, and bug finding. How many exploits and hacks are currently attempted and successful? Who is currently policing the vendors?

Maybe none of these efforts produce anything to justify an OSC, however, my gut says once we start looking at ways Open Source currently operates, the case for an Open Source Core will seem not only feasible, but advantageous to the industry.

Anyone interested is more than welcome to take a chunk and run with it. I’m interested to see where this takes us

I liken it to web app hosting. I can throw linux/apache/mysql on a box and host my companies web apps from my apartment for next to nothing. We definitely do not do that.

What do we do? We pay someone else to perform the implementation of these open source solutions. You could say we are paying for bandwidth or the hardware, but really we are paying to have someone to yell at if the server goes down.

Now that may seem simplistic and beneath the “high stakes world of banking” but honestly if industry can find a way to provide this service for the “low stakes” of most web apps, how much greater will the offering be to the banking community.

I totally agree with Robbie that an Open Source Core would create a whole slew of opportunities in many areas and that implementation and monitoring would be one of the first to see action.

Just think of the potential. Right now you are paying for that “pass the buck” privilege as well as the cost of continuous code development and improvement.

Under an Open Source Core and the services that would spring up around it, for the first time, you could actually put a dollar value on the ability to blame someone else without having to also finance development of a code source!

Interested to hear more of your thoughts.

And the exact issues you’ve address are also some of the same I have with a fully open-sourced core. I’m not so much worried about a SAS70 because, in my limited understanding, it simply says the a company follows their own guidelines. But covering your ass is another story entirely. Many core’s “guarantee” that their software works and if something goes crazy, it is their tail on the line. With an open sourced core, that wouldn’t be the case. However that might create an opportunity for a third party company to review code and “insure” it against defect. That’s one of the nice things about OSS, it spawns many opportunities for support and addons.