Open source security is not as big of a concern as it once was

Some shops are willing to go away from proprietary software for even the most precious data.

In 2003 Sreenivasa Rao Vadalasetty helped write a report for the SANS Institute that was titled “Security Concerns in Using Open Source Software for Enterprise Requirements.” To some that title today is almost laughable.

The report stated:Though the open source has potential to be more secure than its closed source counterpart, it should not be taken for granted that open source is more secure because there are some constraining factors. Despite the fact that the source code is available for everyone, several vulnerabilities in open source remain undiscovered ....”

In a survey done by Black Duck Software last year, the findings showed that use of open source software has increased. The survey, which analyzed input from a record 1,300 C-suite and senior IT professionals, shows that 78 percent of respondents said their companies run at least part of their operations on open source – a number that has doubled since 2010.

“We’ve come a long way since then. It’s clear that open source has become the default base for software development, infiltrating almost every facet of the modern enterprise and outperforming proprietary packages on quality, cost, customization and security,” said Paul Santinelli, general partner at North Bridge, which partnered with Black Duck on the survey.

The survey goes on to say that 55 percent noted that open source delivers superior security.

“Open source security products have been used for more than two decades. Let's take Snort, for example. Released in 1998 and used for IDS/IPS by some of our own governments three-letter organizations. OSS originally got a bad rap for poor security due to proprietary software vendors FUD tactics. Many companies have come to realize that more patches fixing security are released for OSS than most proprietary products. Why? The size of the community in any given project, agile processes and the need to act quickly to resolve any issues. Proprietary vendors still have a lock on finance and [human resource] applications... but that could be the next area for innovation in open source software,” he added.

Michael Taylor, applications and product development lead at Rook Security, said the open source community has consistently created excellent tools for both general and security purposes. “The reason these tools have been successful is that they are created in the open, so there is no mystery behind what the code is actually doing. This allows each user to determine for themselves whether they are comfortable with the actions of the tools,” he said.

Additionally, he said, the user gets to be involved in the development process through the creation of additional features, bug reports, and code review of the projects. This community involvement greatly increases the population of testers and code reviewers.

[ ALSO ON CSO: The state of open source security ]

“We have used many different open source tools for security and in day-to-day activities. Most of the population has likely used open source items in one form or another, such as cell phones, operating systems within their cars or other home devices, and many other embedded systems. The security around these platforms is often components from different open source projects. An example is the embedded Linux system in a car would have security components that would be seen in a production web server,” Taylor said.

Many tools that are open sourced are more readily usable than the closed source alternatives. The visibility of how the code works allows an end user the ability to quickly integrate the open source tool into existing systems. “When we are examining potential new tools, selecting an open source project which satisfies our needs is typically a better option than the alternatives. This is because we are able to rapidly deploy an open source tool without making a financial commitment to another company. It also lets us determine a proof of concept for using the new project,” he said.

Rook Security uses SNORT and Suricata for network monitoring, Elasticsearch as a database solution to handle many types of data, and OpenSSH for connecting securely to a host using strong encryption and authentication methods.

Bill Weinberg, who is senior director and analyst of open source strategy at the Linux Foundation, said open source software is deployed in nearly every aspect of enterprise infrastructure and across enterprise networks “to a degree unimaginable just a few years ago”. 

He cited a Gartner report that found an average 29 percent of enterprise software stacks are comprised of open source software, with best-in-class organizations utilizing up to 80 percent open source in their portfolios, freeing funds and resources to develop, acquire and deploy commercial/proprietary code for the most differentiating and/or business-critical functions.

When asked if open source is secure for every corner of the enterprise network, he said, “The issue isn’t whether open source is secure enough for PII - it’s whether the systems processing PII are in sufficiently secure. The whole networks and the apps that run on them, which are today a heady mixture of proprietary and open source code.”

Join the CSO newsletter!

Error: Please check your email address.

More about AcquiaBillCSOGartnerHPIPSLinuxMicrosoftNASRed HatSANS InstituteUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ryan Francis

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place