The other observation I can make is the only open source code that was mentioned in the report was CVS. I wonder if relying on a SCM system that has been used in anger in open source, exposed to attack at all levels and all vectors would not have been better? Strange, McAfee chose to mention CVS which almost no one uses any more. When Linus went to talk to Google about Git (http://www.youtube.com/watch?v=4XpnKHJAok8) he teased them about their SCM, if only someone had listened then. The SCM is not the real villain here. The real villain is software vendors who think its ok to know of a Zero Day vulnerability in some cases published to the net through CERT alerts, and do nothing about it for almost 6 months, and then only prioritise it when one of there major customers goes public. (shame on you)
Will this happen again: Yes, without a doubt. Since its clear the some vendors cant be trusted, your only protection is having the source code and skills to check, or trusting that peer review in the open will identify and eliminate holes. For those reading this who don’t know. Installed running binaries are almost as easy to analyse for holes as source code, but with source code you can provide a patch and if the community is open, you can even persuade/embarrass them into doing something long before the problem ever reaches production. Trying to do the same to a commercial operation is nigh on impossible. Consequence ? My inbox is full of the potential attack vectors for the next juicy story to hit the press. So much to do, so little time.