More and more proprietary security tools use some open-source code. What are the advantages for companies?
The line separating open-source software and commercial, packaged applications seems to have blurred. For evidence, just check out some of the widely used security tools available. Take Snort, for example. The de facto standard for intrusion detection and prevention, the open-source Snort has been integrated into hundreds of commercial software solutions, including those from Sourcefire and VeriSign.
Or consider Nagios, an open-source host, service and network-monitoring program. In addition to being widely available as standalone software, it is at the heart of Monitor, a $70,000 network-management and security product from software vendor Groundwork.
Other notable examples include OpenSSL and OpenSSH. The former is the open-source version of the Secure Socket Layer (SSL) encryption protocol widely used in e-commerce transactions, the latter the GNU General Public License (GPL) version of the Open Secure Shell remote-access technology.
They are both used "pretty much everywhere," says Andrew Jaquith, a senior analyst in the security solutions and services unit at the Yankee Group, a research firm. Two examples: Apple Computer has incorporated OpenSSL into its Mac OS X and Mac OS X Server software, and it is included in the Apache Web server; OpenSSH is at the core of SHH Communications Security's Tectia branded product, among others.
More importantly, according to Jaquith, is the fact that "both OpenSSL and Open SSH have received quite a bit of review and passed many vulnerability tests over the years. They are pretty well tested at this point."
That begs the question: Can open-source software equal the packaged security solutions on the market?
"I don't have a good answer to that question, I think each situation is different," says Mike Schroepfer, director of engineering for the Mozilla Foundation, which develops the open-source Firefox web browser (which has numerous open-source security features built into it).
"It's hard to make a blanket statement that one is better than the other," he adds. "For any particular task, you have to look at the set of tools available and determine what's most appropriate."
Talk with those in the open-source movement about the value of the security software they've developed, and the first issue that comes up is the "many eyeballs" theory popularized by open-source pioneer Eric Raymond. The doctrine, which helped make Linux a success, says that open-source code is inherently more secure than a packaged solution. Most importantly, they point out, is the fact that open-source code is widely reviewed by thousands of developers without commercial motives. Contrast that with just the handful of professionals who work on a typical project in the "closed" environment of a software development company.
This concept runs deep in the open-source world. Raymond himself puts it bluntly: "Ask any cryptologist: Don't trust a cipher you can't see."
Because open-source code has become so widely distributed and so broadly trusted by software developers, it's no wonder that it has found its way into a broad variety of for-sale security applications. These types of hybrid products deliver not only the sophisticated feature set that enterprises demand of mission-critical security software, but the support and maintenance services they demand, as well (more on this shortly.)
The list of open-source software components at the foundation of commercial security packages goes on and on. In fact, Stacey Lum, president and chief executive of InfoExpress, goes so far as to note, "It's pretty rare for a security vendor to not use some percentage of open source software."
As a result, open-source tools are commonly used in most enterprises, believes Rob Sherwood, the information security architect for Exostar, a Herndon, VA-based electronic trading exchange for the aerospace and defense industries. "Everyone uses it," he says.
"It's so easy to deploy, even in a small company," he adds. "It's nice to get something free, and many [internal software] developers will chose open-source security software because it's easier than getting a purchase order for the least expensive commercial product."
Costs play a role
There are ample reasons for commercial software developers to take the open-source route. Costs, as Sherwood says, play a major role for vendors and users. Having access to free source code that works as promised is attractive to software developers, especially start-ups. This "allows companies to leverage code written and examined by millions of people," says Lum. "Building on top of open-source software allows different companies to create higher value solutions for customers."
It can also make it less expensive for enterprises to buy the kinds of sophisticated security solutions that would normally be out of their reach. One of the key reasons Sam Lamonica, the executive who manages the IT services at Rudolph & Sletten, a Foster City, CA, construction company, selected Groundworks' open-source-based Monitor is because it cost far less than similar, proprietary security/ management products from the likes of Hewlett-Packard and BMC.
Rudolph and Sletten's Groundwork deployment was in the $70,000 range, about 10 percent of what a comparable HP OpenView or BMC Patrol system would cost, according to the company. As noted, Monitor is based on Nagios, an open-source tool that provides network monitoring functions comparable to that of the large commercial products.
Monitor is typical of the commercial packages that contain open-source security software. It extends the open-source software modules (it has several in addition to Nagios) with a variety of proprietary Groundwork software elements, configuration guidelines and parameter settings, documentation and support services.
Two other examples are products from Sourcefire and SSH Communications. These both take an open-source toolset and expand on it.
Sourcefire's 3D System, a commercially available intrusion prevention appliance based on Snort (and originally developed by Sourcefire founder and chief technical officer Marty Roesch), adds proprietary asset- and behavioral-profiling functions to Snort's rules-based detection engine.
SSH Communications' Tectia enhances OpenSSH's basic FTP file-transfer functions with a variety of management features while also performing faster, states Byron Rashed, a senior marketing manager at the company.
Updates are critical
With functionality a moot point, the critical driver in selecting between a packaged or open-source tool might well be which can deliver the best – and most timely – technical service and support, says Alan Paller, director of research at the SANS Institute.
"Because security software has become the new target of choice for hackers, the new decision-maker [in selecting software] is the method by which the software is patched and updated," he says.
"If you buy a product, and no one is assuring you that it's automatically patched, you're asking for your systems to be taken over," he adds.
Rashed uses OpenSSH as an example. "If you have a problem, and you go to the bulletin board, you may get an answer this month or a year from now, but when your communications are down, you need to get support quickly," and only a commercial vendor can ensure that kind of on-demand support, he believes.
On the other hand, open-source disciples point to the lax attitude many software vendors take to updating their products when vulnerabilities are found. Microsoft and Oracle are frequently criticized in this respect.
And many open-source projects update their tools quickly, as well. A good example is the ClamWin Free Antivirus project, which updates its code each time a new vulnerability is discovered or a new virus threat makes the rounds.
"There's more value in open-source solutions than people give them credit for," says Jaquith. "The commercial vendors say open source isn't supported and, in a sense, they're right. On the other hand, support for the commercial tools isn't exactly free, either.
"It's a classic case of the value of your time versus the value of your money, and both have their place."