The yoga of the software world
By the end of 2003, an increasing number of corporations, including the city of Austin, Texas, the Commonwealth of Massachusetts and the Ford Motor Company, were looking at open source software (OSS) solutions as alternatives to proprietary packages.
In the first few months of 2004, internet research company Netcraft showed an increase in Apache web servers on the internet and SUSE Linux passed Evaluation Assurance Level 3 (EAL3) – part of an internationally recognized security requirement known as the Common Criteria.
"The Secure Computing Initiative is the kind of investigating that's been done in the open source community for years now," says Roman Drahtmueller, head of security at SUSE Linux. "People believe it's necessary to have the source code to develop exploits – that's not the case. However, as both security awareness and visibility increases, more people will look at what vendors are doing."
Mark Feldman, manager of the host intrusion prevention group at McAfee Research, with McAfee research scientist Robert Watson, has worked on a special research project aimed at improving the security of OSS.
The Community-Based Open Source Security (CBOSS) project was commissioned by the Defense Advanced Research Projects Agency (DARPA), and included companies interested in building infrastructure parts as well as those wanting check-box features.
The project is complete, and Watson says the results are being integrated into commercial products. One of these is the Apple OS X system, which Watson gives as a good example of blending open source with a proprietary system.
"We use open source here at McAfee Research because it would be impossible to do research on a closed source platform. Just like academia, open source enables us to explore and share the results of our research," he says.
Watson regards open source as a development tool to build solutions. It gives consumers the advantage of being able to see more of what is going on, greater control and a degree of independence – especially from vendors that might disappear or change direction.
"People are also taking advantage of some advanced security features, not necessarily virus scanning, but mandatory access control systems that you can now buy for open source," says Watson.
Open source suffers from many of the failings that closed source does, he adds, such as unresponsive vendors and being behind in revisions, but there are cost benefits, especially for customers that do not need a lot of functionality.
"Open source gives consumers more choice, which has its positives and negatives," says Feldman. "We're seeing more consumers thinking 'which do I want, which will best suit my business needs?'."
John Vance is the network manager for the University of California Los Angeles External Affairs. He is impressed with the thought that goes into many open source solutions, but his shop, which manages the network infrastructure for about 1,000 users, does not use Linux – he prefers a Cisco solution.
"The Berkeley people love open source," he says. "However, for us a proprietary system means less labor time spent on installing and customizing the solution. We can spend more time focusing on security, rather than maintenance of yet another box."
Vance says he believes Linux is labor intensive, and says he has seen other departments spending money on salary to use open source, rather than funding commercial software, and still not find the correct solution.
"I know one co-worker that works in a department that doesn't like to fund proprietary solutions," he says. "They've been hammered by viruses. MyDoom hit them pretty badly. My co-worker had to set up an IronMail product using freeware and it took an enormous amount of time. Then he had to sell that to management as a good use of his time."
Vance says he feels proprietary solutions are generally more secure, but he believes Linux has come a long way in recent years. He likes the fact that there is a lot of "mindshare" going on within the community and hopes that this will become a strong force against spam.
Jeff Reich is the director of information and security controls at Interland, a web hosting and online services company. It uses some OSS solutions for security management, but not many. "Of the many solutions that might be presented in the open source world, you can't always be sure which one to rely on," he says. "More importantly, if a solution doesn't work as expected, you might not have any place to go for help or support."
Reich is impressed with the community effort that is put into developing the functionality and flexibility of the software. "The chances are that when you encounter an issue, someone else has seen it and might have a solution." He believes that managing costs is one of the greatest challenges facing potential OSS users. "The ongoing maintenance and support costs are often overlooked," he says. "The use of existing personnel and resources to support open source solutions often matches or exceeds those of propriety solutions. At times, these costs are hidden and might not be identified."
Thorne Graham is a senior cybersecurity manager for the USDA. As part of a 20-strong team, he manages its lifecycle of network and telecommunications security, including policy and security programs. About 80 percent of the solutions used by his office are commercial, off-the-shelf products, with OSS making up the rest, including a fair amount of Linux software.
"Open source is great from a ROI perspective," says Graham. "However, unless there's a formal code review, I can't trust the open source community to show the right level of diligence."
Graham says his team has been using commercialized versions of Linux, and he tells them to test it in the lab when putting the modules together. He says he is still concerned that this is not as adequate as a proper code review.
"We've been trying to get a government entity to do a code review and set up a trusted repository to make open source available to government agencies," says Graham. "It's been a shot in the dark so far – people have realized it's a concern, but no one has stepped up."
Graham sees OSS as being less secure than proprietary software because commercial companies have a responsibility to answer to their customers. "At least with a commercial company, there's some redress if the software is buggy – you can get it to patch or rewrite it. There isn't necessarily the same pressure on the open source community."
Graham says that although OSS tends to be more reusable and less "bloated" than proprietary code, its future as an alternative lies in its ability to form a trusted computing base, where someone is the steward of the code.
Cathy Mankus, IT manager for WAN, telecoms and security at building material supplier Louisiana-Pacific Corporation uses some OSS and is open to the idea of using more. She heads up a team for virus alerts and patch management and with about 13 sites in Canada, 40 in the U.S., and more than 7,000 end-users, Mankus says secure WAN connectivity between buildings is critical.
"Our enterprise systems are not using open source, but we use Apache and Perl scripting extensively and are not averse to the idea," she says. "The beauty of open source is the cost and flexibility. We have a large group that is familiar with it and helps to support it."
Mankus says that although the firm uses both Unix and Linux, most of the development there is fairly recent. However, many of its proprietary systems have been in place for a long time and have developed over many years.
"We're not going to throw away our legacy systems and migrate over at this point," she states. A main concern is knowing who to turn to when something goes wrong. "There are message boards and forums within the open source community, but no one to point the finger at and say 'you fix the problem,'" she says. "The advantage of working with a proprietary entity that's been around a long time is that you can get 24/7 support."
Russell Nelson is the vice-president of the Open Source Initiative, a non-profit corporation that manages and promotes the open source definition, and certifies open source software. He sees more companies switching to open source, especially on the server side. He also predicts that 2004 will be "the year of the open source desktop" as more companies are shifting to open source on limited domain systems. Also, more efficient office suite software, like Sun's StarOffice, is becoming freely available.
"People take time to make big decisions like this," he says. "Switching thousands of desktops takes time – you have to test the systems and train the people, but don't want to disrupt business."
Nelson says that software security lapses are inevitable, but believes that where open source shines through is in the fact that it is easy to do a security audit on the source code. "Black hats have a history of disassembling source code and looking for lapses," he says.
"But while it's easy for hackers to detect, it's also easy to fix – and there are more white hats than black. Open source is used as a vehicle for reputation enhancement – 99.9 percent of OSS has a person's reputation behind it. If that person screws up and makes a security lapse, they will catch a lot of grief."
The major challenges facing commercial OSS providers, continues Nelson, is providing a high-level of customer support and understanding customer needs. "Industry needs to evaluate OSS on its merits and not just dismiss it as hobbyist. More and more OSS firms are recognizing the need to provide support. CIOs are asking 'will it run the mix of programs I need?'."