The Number One Reason To Move To Open Source: Security

I just read Bill Vass's latest blog entry titled:  "The No. 1 Reason to Move to Open Source is to IMPROVE Security"

Bill opens this article with: "If you are like me, and you have been involved in cryptography and Cyber Security for a long time, it's obvious to you that commercial open source code is more secure. As a matter of fact, in the late 90s, many of the Intelligence agencies mission systems and the DoD tactical systems moved to open source ONLY to improve security. Today, the majority of the critical systems in the Intelligence agencies (the people that care most about Cyber Security) run on open source operating systems like Solaris and Linux. The same is true of places like the FAA, IRS, and a whole lot of other organizations that care about security We have a saying in the world of Cyber Security: Security through obscurity, isn't."

Then after providing a good overview of many of the factors that contribute to the enhanced security of open source, he closes with some facts from the US Government's National Vulnerability Database.  The facts are clear about this:  Proprietary software products have a much higher security risk than their open source equivalents.

Please check out his article and judge for yourself.  And if you are a technologists think of the many great options you have for enhancing the use of open source in your enterprise.  You can even use it in combination with closed source/proprietary to enhance the security posture of your enterprise.

More later.

Connect Here

Bob Gourley

Partner at Cognitio Corp
Bob Gourley is a Co-founder and Partner at Cognitio and the publisher of CTOvision.com andThreatBrief.com. Bob's background is as an all source intelligence analyst and an enterprise CTO. Find him on Twitter at @BobGourley
Connect Here
About Bob Gourley

Bob Gourley is a Co-founder and Partner at Cognitio and the publisher of CTOvision.com and ThreatBrief.com. Bob's background is as an all source intelligence analyst and an enterprise CTO. Find him on Twitter at @BobGourley

Comments

  1. Well, not so fast. While I agree with most of what Vass says, it's also the case that open source stuff becomes a target the more that it's used. Just look at what's happening with Firefox these days. Many of the point releases are because of security issues, and not simply to add functionality. An expert within the Intelligence Community told me, "most major public and private institutions do NOT use open source products (including the Intel. Community) and thus, they do not receive the security scrutiny that the commercial products get."

  2. Joseph M. Mazzafro says:

    Bob, I believe your view on open software is far to binary. The seeming appeal of Open Software is that it is free —- until you need to integrate it, support it , or train to it. But I'll just skip over the infra-structure advantages of commercial open source software like MS and Oracle sell in terms of configuration management critical to enterprise operations and go right to security. I get that openness leads to better security over time as the user community will find and fix defects (though if you want Linux patches immediately you might want to consider Oracle Unbreakable Linux), but what about the adversary who develops maleware from the open environment and keeps in the "war reserve mode (warm)" until it wants an effect? To summarize I am not are arguing agains open source SW as you define it, but suggesting there are places and uses where open source makes sense and others (far more in the IC) were commerically open SW is the better approach.
    joemaz

  3. Bob- Thanks for the note. I've heard that argument quite a bit, but frequently it seems to be made by folks from proprietary companies. Anyway, I have to admit this factor is at play. The more that open source is used the more people will try to attack it. But I really believe that software that is designed to be more secure is more secure, and there are quite a bit of ways to prove that. I would, however, like to argue with the person that told you most major public and private institutions do not use open source products. The fact that the person said that proves to me he or she is not an expert. I think the majority of them use open source. Don't all organizations use BIND? How else would they be able to use networks if they don't use that? I probably shouldn't be holding that up as an exemplar of security, but it does what it is supposed to very well and now, thanks to the open source community, has great DNSSec features that all should turn on. And when it comes to OS's and traditional applications, I think Gartner said something like 85% use open source. I think your expert associate should do some more digging.

  4. Joemaz- Thanks for the input. I think I agree with most of that, and maybe I could have written that to sound less binary. I think in most cases enterprises want commercially supported open source. I think it is just human nature that IT program managers would like to be able to use any software before paying for services so being able to use open source software for free while starting up is attractive, but fielding something across the enterprise is best done with commercially supported open source.

  5. All points are valid. What is missing from the discussion is the process by which government maps requirements to available solutions whether COTS or Open Source. Neither source of innovation is leveraged effectively as we government has lost its ability to track, assess and acquire any innovative solutions due to the disastrous outsources of these functions to defense contractors who lack access to this market or the incentives to promote existing solutions over custom development.

    This issue was barely touched in the just released Defense Science Board report on IT Acquisition http://www.acq.osd.mil/dsb/reports/2009-04-IT_Acq…. The good news is that the new IT-Acquisition Advisory Council (IT-AAC), headed up by former Army PEO EIS Kevin Carroll and former AF Secretary Mike Wynne. Preliminary findings are posted at <a href="http://www.ICHnet.org” target=”_blank”>www.ICHnet.org. Recommendations for process improvement can be sent to Kevin.Carroll@ICHnet.org.

    • Thanks much John, I appreciate the comments and links. I just jumped over to your ICHnet.org site and had a quick look around. I'll be spending more time on there shortly and would recommend others do the same.

      Cheers,
      Bob

Leave a Reply