Choosing open-source software depends on how applicable it is to a company's business model, said Ken Pfeil, CSO at CapitalIQ, a financial-information division of Standard & Poor's. Open source does not present more risk than commercial software, he said.
"I want to know what's under the hood," he said.
Liberty Mutual's CISO Scott Blake said his company uses a lot of open source but added, "In some cases, we want to transfer the risks with software to someone else. You can't do that with open source."
The panel was one of many sessions at this week's two-day conference, which is in its ninth year. Other sessions included vulnerabilities in antivirus software, legal aspects of network defense, and Google hacking, but the controversy that erupted over a presentation on Cisco vulnerabilities stole the show.
During the CISO panel, moderator Jeff Moss - Black Hat CEO - posed the question of how much weight the panelists give security certifications. Justin Somaini, director of information security at VeriSign, said certifications such as CISSP "are not a bad thing" but that they do not cover the business skills security professionals need - such as how to influence corporate officers.
Asked about emerging threats, Somaini said denial-of-service attacks and the role of organized crime are top concerns. People can expect to see the "involvement of truly malicious and highly motivated individuals" in future security threats, he said.
The session ended with panelists offering up their pet peeves about vendors. Somaini said products that claim to resolve a company's SOX issues irritate him while Pfeil said vendors that claim they protect against zero-day threats are his pet peeve.