@lightweight I get your point but don't entirely agree. There is a duty of care and trust put into the hands of the contractor and the expectation - particularly of large corporates - that their product is safe. Yes the agency in charge should have done a security audit. But I respect SAP for owning up on this. Can you imagine the uproar if this had happened under a small local firm? It would have sunk them
@lightweight Yes. The outsourcing comes too often with abandonment of expertise in subject matter the agency is charged with overseeing. That combined with the managerialism attitude that views anything technical as bellow the dignity of important people and you really set the stage for corporate rip-offs and failures. Gov't needs to retain (and respect) enough expertise to know that they are getting what they need and what they pay for from suppliers.
@lightweight That requires more transparency than typically practiced. FOSS provides such transparency. With big corporates and their proprietary IP protections, it has been my experience that even security audits that a gov't may preform are limited. you kind of just have to trust them to have shared everything needed. Not a good situation. Leaves me wondering why we even allow anything but FOSS
@ByronCinNZ Yup. Imagine if the NZ gov't funded the development of a #FOSS gun licensing tracing system... and then told the US - "here, this worked for us. You can just use it. It's Free". And it would also give NZ some nice tick marks for its Digital 9 Charter membership... https://www.digital.govt.nz/digital-government/international-partnerships/the-digital-9/
@ByronCinNZ Hell yes .Well said.
@ByronCinNZ My humble suggestion is described in some detail here: https://davelane.nz/fixing-government-it-procurement - in short, the gov't needs to mandate that all IT solutions procured comply with vendor-neutral, royalty-free open standards.