Open Source Software and IT Security

Open Source Software or OSS is a computer software whose source code is available to the general public with relaxed or non-existent intellectual
property restrictions (or arrangement such as the public domain) and is usually developed with the input of many contributors.

This type of development also brings the expertise of multiple persons to bear on the design and architecture of a software program, making it robust and capable of doing the job for which it is being designed.

The openly viewable nature of the source of a program means that if possible problems are found, they can be quickly addressed and altered to adapt, with the supervision of more than one company / programming team.

When choosing between proprietary and open source security solutions, many organizations are misled by open source myths. As a result, they ask the wrong questions when evaluating their options and unnecessarily limit their IT solutions.
Is it risky to trust mission-critical infrastructure to open source software? Why should we pay an open source vendor when open source is supposed to be free? Will a shift to open source add complexity to our IT infrastructure?
These questions all arise from open source myths that this blog article will explain and dispel, allowing IT decision makers to focus on more important
organizational issues: return-on-investment, ease-of-use, agility, reliability,
and control.

First Myth: Open Source Software Is Too Risky as viewed in IT Security

Many IT decision makers have a knee-jerk reaction to OSS, especially when it
comes to security. They believe OSS is most appropriate for do-it-yourself
technology geeks working in their basements. It might be fine for a company
with an obsessive technology savant on staff, but for the rest of us, OSS is
unproven, complex, and risky.

This is a myth. The real fact is that OSS is already an integral part of enterprise network infrastructures. A recent Network World magazine article looked at the state of open source adoption within the enterprise and found it widely pervasive. It states, “Most of the packaged security appliances for everything from firewalls to security information management are built on the same BSD Unix and Linux distributions as the application servers you build yourself.”
A recent Forrester Research report  further argued that enterprises should
seriously consider open source options for mission-critical infrastructure.
“Although fewer than half of the large enterprises in Europe and North America are actively using or piloting open source software, a majority of those are using it for mission-critical applications and infrastructure,” the report said.

Second Myth: Open Source is Free

Another myth is that open-source is free of charge, and, as such, generic open source implementations can save thousands of dollars. A common question that open source vendors face every day is, “why should we pay for something we can go download for free?”

Certainly, OSS can be downloaded for free, but that is where “free” begins and ends. There are certainly other advantages to OSS, such as strong community support, continuous upgrades, and the ongoing improvement of projects by those using them. All of these advantages are technically free to any user, but someone must manage, evaluate, and then support whatever open source product your organization adopts.

If your organization would rather concoct its own OSS security suite from scratch, then it is possible to do so; however, be prepared to invest vast amounts of IT capital into such an effort. Not only must a company install and configure individual projects, but actually blending multiple projects together, all working with the correct interoperation and harmony, and being maintainable with regards to security patches and other upgrades, is a vastly complex task.
For example, while installing an Intrusion Detection component along with a
VPN solution on the same platform is technically possible, it takes a highly
detailed understanding of many different factors in order to ensure proper
processing of the traffic. For example, the VPN tunnel traffic is first decrypted, and then run through the IDS engine ensuring that encrypted traffic handled by the tunnel does not contain malicious payloads. Making things operate together is an essential component in deploying an effective security system.

A final issue is accountability. If homespun open source security fails, who is to blame? Is it the software itself? Perhaps, but what if it was configured
improperly? Is it some other product within your infrastructure that has
created a conflict? It’s possible, but you’ll need to search through bulletin
boards or wait for an expert within the community to respond to the question you post to find out. Is it your own IT staff member who managed the project? After all, that’s the exact person you will have to ask to get an answer. As the cliché states, ‘you get what you pay for.’

Third Myth: Open Source Vendors Add Little Value to OSS Projects

There is sometimes a perception that paying for open source-based products is a waste of money, since acquiring the same projects a company bases a
product on can be done for free (see Myth #2), and companies that attempt to commercialize OSS do not really add anything substantial to the offering that justifies the costs they demand. Also, some question the legality of charging money for products based on the work of others.

This myth is partially based on a common misunderstanding of open source licenses. Under the most common of open source licensing, known as the GPL, vendors are free to distribute and sell OSS if they follow the rules of the license and add value. In various products, vendors not only harness existing projects and code-bases in order to build their solutions, but then contribute back to the community in offering features, performance improvements, financial support, and more.
This further evolves the community so that it benefits from the
commercialization and can continue to evolve. Examples of this are the many versions of Linux and the Apache web server.

Companies that commercialize open-source software and add value, such as
documentation, guides, interfaces, interoperability and more, create a solution known as “mixed source” or “hybrid” solutions: a blend of both open-source and proprietary components. These solutions give customers the best of both worlds; they are based on a solid open source foundation, while also offering the support, documentation, QA testing, and upgrades. This provides a final level of polish that makes the solution stable, manageable, and realistically deployable at more companies than an open-source-only solution.

Fourth Myth: Proprietary Solutions and more reliable than OSS

As mentioned at the start of this blog,  the reliability and dependability of OSS
is called into question by closed-source proponents. If today’s security
solutions – open source and proprietary alike – start with the same Linux or
Apache foundation, then those tasked with securing the world’s networks
disagree with this premise. If security experts trust open source, why shouldn’t you?
Proprietary solutions do present many advantages, such as providing technical support, training, pushed updates, integration via APIs, and innovative GUIs. Today however, these same advantages are being added to lower-cost OSS alternatives by mixed-source vendors. Adding to this is the fact that the open source community actively resists much of what customers dislike about proprietary solutions, such as vendor lock-in, high initial costs, lack of feature upgrades/additions, and escalating maintenance contracts.

Open-source licenses discourage the kind of secrecy that has plagued proprietary software for decades—secrecy that has led to vulnerabilities and the inability to enhance or customize the software.
When something goes wrong in an open source security project, distributors
cannot deny, hide or downplay the issue. The OSS community actively polices itself and discourages anything other than openness.

Fifth Myth: OSS and its security is too complex for SMEs

There is some truth to this myth. Projects like Snort (a popular open-source
Intrusion Detection project) are certainly designed with expert users in mind – and they may work poorly (or not at all) if users are not familiar with their
approach and implementation possibilities.

Even if implemented correctly, an end-user must then ensure the program remains updated and continues to work correctly with the rest of the network security programs that are deployed. Fortunately, more and more software vendors are adapting open source projects to the demands of the market, making them very flexible and capable of being deployed in diverse network scenarios with ever-increasing ease.
There is also a second myth at work here. Proprietary solutions don’t
necessarily lack complexity. The idea that open source is an all-or-nothing
commitment is false. Proprietary vendors who follow the traditional shrinkwrap model work a lot harder to lock customers into their product lines. They won’t guarantee interoperability with competing products, and for those features they don’t offer, they’ll point you to equally expensive partner solutions. Moreover, many users of proprietary solutions are bemoaning a new datacenter problem: appliance overload. Even those proprietary vendors with a broad range of security offerings tend to deliver them as separate, standalone products. These many layers add cost and complexity to the IT infrastructure, as well as presenting multiple points of failure that could undermine security if even one appliance is mis-configured or out of date.

With mixed-source solutions, your organization can put together a best-in class security lineup without the associated costs or complexity. You also gain the flexibility to change your security posture as you see fit, without fear of breaking contracts, voiding warrantees, worrying about interoperability, or throwing away existing investments by being forced to abandon legacy
products that still work perfectly fine.

Conclusion

At the root of a myth there usually exists some level of truth or a situation that caused and then propagated the myth. The basis of this truth is then twisted and diluted and often lost amongst incorrect opinions or common
misconceptions.

Open-source is steeped in history and capability and remains
daunting to those that have not been educated in this exciting area of
development. This massive community has created some truly remarkable
tools; however, it continually faces various reactions to adoption of its ideas
and projects. This situation is mostly due to the community focusing more on
creation than marketing, and end-user awareness therefore suffers.
Mixed-source security solutions give customers the best of both worlds – the
low cost and reliability of open source, as well as the technical support,
training, and user-friendly interfaces of proprietary products. These are no
longer just tools for the gifted.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s