The security of open source software is a key concern
for organisations planning to implement it as part of their
software stack, particularly if it will play a major
role.
The main concern is that because free and open source software
(Foss) is built by communities of developers with the source code
publically available,
access is also open to hackers and malicious users. As a
result, there could be the assumption that Foss is less secure than
proprietary applications.
Another concern is that
the Foss community might be slower to issue critical software
patches as vulnerabilities emerge.
Foss proponents claim these anxieties are unfounded and open
source can match shrink-wrapped and proprietary software for
security and, in some cases, offer greater security.
Andrew Fourie, UK country manager at unified threat management
firm Astaro, says it is a myth that Foss carries too high a
security risk to use in the enterprise. He says: "Many IT decision
makers have a knee-jerk reaction to open source software,
especially when it comes to security. They believe [Foss] is fine
for do-it-yourself technology geeks working in their basements but
for businesses, OSS is unproven, complex and risky.
"Open source critics attack the stability of the platforms as
not ready for widespread adoption due to their ever-changing
natures as they evolve by contributions to their features and code.
They criticise open source for requiring so many patches to stay
secure."
But he adds: "The argument that open source must be risky, since
it requires so many patches, is countered with the explanation that
by having so many individuals working with the source code of these
projects, potential vulnerabilities and design flaws are uncovered
much faster than with programs built on proprietary code."
Fourie also points out that open source software is already part
of most commercial IT infrastructures, with
open source projects such as Linux and the Apache web server being
common in enterprise IT systems.
Donal Casey, a security consultant at IT reseller and integrator
Morse, says open source software is "no less secure than a
proprietary stack. It also has the potential to have fewer flaws in
it".
Most commercial software companies have a finite-sized team to
look at their software, but in the open source community there are
many more people to look at the code. So, it could be argued that
open source is more secure than proprietary because there is a
wider and broader development base. The US Department of Homeland
Security scheme, the Open Source Hardening Project, was established
in 2006 to
check the security of open source software.
The scheme has looked at 50 million lines of code so far, and
found that in 250 open source projects, there is one software flaw
for every thousand lines of code. But as a result, the project has
enabled the open source community to fix 7,826 flaws, which has
benefited all users.
So how responsive is the open source community at issuing
patches when vulnerabilities are reported?
Mark Cox, who leads the Red Hat Security Response Team, says the
responsiveness of any given open source project to a security issue
depends on the project and the seriousness of the issue and many of
the larger projects (for example, Apache, Mozilla, Linux kernel)
have their own security response teams.
For some issues, the finder of the vulnerability will contact
the open source projects directly, and give them time to produce
fixes before disclosing the issue publicly. In other cases, the
open source project needs to react to an issue that is already
public.
"A good example of reaction time was with a Linux kernel flaw On
Saturday 9, February an exploit was made public that allowed a
local unprivileged user to gain root privileges on some Linux
kernels (CVE-2008-0600). Within a few hours of it being reported to
the kernel mailing list, on 10 February, patches were being
exchanged and tested. Later the same day the patches were committed
and a new upstream kernel version was released," says Cox.
He adds that the benefit of using a Linux distribution is that
security is managed by a single vendor, which can be preferable to
having to subscribe to the security lists of all the different open
source components being used.
"So Red Hat monitors a number of sources for details about
security issues in any of the thousands of open source projects
that make up our distributions, backport patches to correct the
issues and release tested updates. Should an open source project
not be responsive to a security issue, the vendors work together to
come up with a peer-reviewed patch," explained Cox.
In building a secure open source stack for the enterprise,
Martin O'Neal, managing director of security consultancy Corsaire,
says the approach is broadly the same, whether closed or open
source products will be used.
"The only way to be sure that a product is secure is to research
and evaluate it yourself. Luckily this doesn't require you to have
either an infinite amount of time or skill though. Using a search
engine to conduct a quick background check for historical security
issues with the vendor and product is a good place to start.
Additionally, use your social networks ask your peers if they are
using the products, and if they have found them to be secure."
One view from an enterprise open source supplier, Ingres, is
that some open source software products, including operating
systems, application servers and databases, have high levels of
security built into them.
Emma McGrattan, senior vice-president of engineering at Ingres,
says: "Open source providers like Red Hat and Ingres, who are
building products for enterprise deployment, are building advanced
security capabilities, such as fine-grained access control,
security auditing and encryption, into their base products. It is
possible to construct a secure infrastructure stack built entirely
of open source software that could withstand a malicious attack as
well as its closed source counterparts."
"Open source detractors argue that providing access to the code
will result in security vulnerabilities being more easily
uncovered, but the opposite is in fact the case and providing
community access to the code results in a stricter and wider review
process and potential security vulnerabilities are found and fixed
before the products are released," she adds.
Nevertheless, Simon Crossley, partner at international law firm
Eversheds, advises organisations to carry out a thorough code
review if they are using an open source stack.
He says: "Code reviews allow an assessment of the quality and
nature of the security protections of the application and,
increasingly, open source security solutions are being adopted
because the initial investment cost is lower. Looking beyond this
initial investment cost, if third-party code support is required
then open source may not be appropriate as support may not always
be available and not to the extent that the commercial sector
provides. Ultimately, security in open source needs to be looked at
in the same way as traditional closed products."
As far as what an open source stack might include, Simon Heron,
internet analyst for technology supplier Network Box, says there is
a lot of choice among Foss products.
"OpenBSD and Linux come with good connection tracking firewalls,
which can act as the basis for the new gateway protection. Snort
would provide a good intrusion detection/prevention system.
OpenSwan can provide IPSec VPNs, and OpenVPN can provide SSL VPNs.
Clam AVG can assist with anti-virus and anti-phishing while
SpamAssassin can provide the beginnings of anti-spam solution."
"However, this would have to be supplemented with real-time
black lists to provide a reasonable detection. Packet Fence will
allow companies to control their network users quite closely. For
bandwidth monitoring, ntop provides a good number of different
views on the traffic passing through the device. Then implement
Nagios to monitor the system to ensure it is running within normal
operating parameters."
James Nunn-Price, a director in security and privacy services at
professional services consultancy Deloitte says, "It is a common
myth that to achieve a secure open source infrastructure enterprise
requires a completely different approach to security than that for
closed source COTS (Commercial, off-the-shelf) products. The same
fundamental principles apply across the board whether they be based
on security frameworks such as ISO27001 or ITIL domains.
"If you don't have a patching process, for example, you are at
risk irrespective of whether or not you use open or closed source.
A key factor, whatever your technology choice, is that your staff
understand what it is they are managing and have the basic
capability to operate it."
He adds that an area of concern with open source has been the
question of support if something goes wrong. "While this might
still be the case for the more obscure open source projects, the
mainstream enterprise-class applications and operating systems have
significant backing and support from the likes of IBM, Novell and
Red Hat as well as significant track record in business and
government critical systems."
Redhat's security
page>>
Coverity looking to improve
security in open source software>>