Paul Smeddle at the The Positive Internet Company considers the advantages of Open Source software for ensuring the integrity of your business online.
Allow this chapter to be your final notice: if your business relies on proprietary software, you are living on borrowed time. This might seem an overblown claim. Indeed, you might not even be aware of what constitutes proprietary software. If so, it’s time to reconsider carefully upon what foundation the whole information infrastructure of your organisation is founded. Firstly, a simple definition. Proprietary software is, these days, the usual sort of software you pull off the shelf and agonise over licensing seats and the like. You install it, it goes wrong, you complain, you pay for the upgraded product, it goes wrong again, and the whole cycle continues ad infinitum. Or at least, ad insanity, if you’re trying to keep up with the licensing machinations of the larger software manufacturers.
In proprietary software, a single company claims ‘ownership’ of the software, and keeps a tight grip on its ‘intellectual property’. Often part of the ‘intellectual property’ they so carefully guard is the nature of that ‘intellectual property’ itself. By refusing either to open their standards or in fact to use existing open standards, many companies adhere to a policy of security through obscurity, whereby nothing at all is made public about the way the software works, particularly with regard to security issues. Wait, I hear you cry, isn’t that a good thing? The unequivocal answer is no. This may seem counter-intuitive, but bears closer scrutiny. If a company builds a bank safe and declares it secure, it means nothing unless the safe has passed independent testing at the hands of some disinterested standards body. Sadly, in the software industry, this can rarely happen. What’s more, imagine if you purchased a bank safe and were told that to test its security and probe its vulnerabilities even after legally buying one was illegal.
Software companies are prone to selling solutions that are declared secure by those who build them. This is a ludicrous state of affairs. Clearly such software needs to be tested independently. The best way to test the technical strengths and weaknesses of a product is to open it up to public scrutiny. Indeed, this is the basis of the scientific method. Peer review, full disclosure and the likes are the kingpin of our scientific culture. As there is virtually no incremental cost in distributing software for wide testing, it is possible to expose a product to a huge number of people, some of whom have the top technical skills in the industry, including perhaps those working for rival companies with a vested interest in detecting flaws. Software exposed to this pack of wolves must pass muster or be sent packing.
Unfortunately, it is not in many large companies’ interests to have their flagship software product’s security trashed by a Scandinavian computer science professor, so they try ever harder, through increasingly brutal copyright legislation and the like, to sweep things under the corporate-secrecy carpet.
This affects the consumer directly, as the market is diluted with vendors selling virtual
‘snake oil remedies’, at least as far as security is concerned. This may sound cynical, perhaps even alarmist, but the truth is that many vendors are earnestly selling products with flawed security models, in the belief that obfuscation and intellectual property battles are sufficient and necessary to protect their code.
The security community at large has a long history of taking matters into its own hands in a virtual ‘name and shame’ tradition, where security flaws in many products, commercial or otherwise are openly discussed. One such forum is the ‘bugtraq’ list, a security mailing list that any one can subscribe to. Bugtraq has gained a certain amount of notoriety in some sectors of the software industry and the IT press for its policy of publishing the unexpur- gated details of security exploits as soon as they are discovered. This has led to criticism from several large companies who find themselves either unable or unwilling to publish patches for vulnerable code as fast as is needed. It has been deemed ‘irresponsible’ by these entities, but has been defended rigorously by renowned security experts such as Bruce Schneier, author of one of the most popular cryptography manuals, and inventor of several widely-used encryption algorithms.
In his popular monthly Internet newsletter, ‘Crypto-Gram’, Schneier comments on a draft IETF specification, which would require the vendor to be alerted of any exploit in advance of its publication. He agrees with the idea in principle, but warns that companies could use the procedure to withhold information about vulnerabilities in their software.
Indeed, he notes that the threat of full-disclosure of a wide-spread SNMP bug was the primary motivator in convincing companies to patch their faulty software.
Open Source software avoids these pitfalls by simultaneously being completely trans- parent in terms of its security models, and providing security experts who discover flaws with the means to develop patches for these flaws immediately. Open Source software is described by Eric Raymond in the ‘Jargon File’ as ‘software distributed in source under licences guaranteeing anybody rights to freely use, modify, and redistribute the code’.
Simply put, this means that anyone who buys or otherwise obtains an Open Source product also gets the ‘source code’, or programmer-level (as opposed to machine-level) instructions in which the software package was written. This allows anyone who has the product to audit it for security, raising the alarm if a vulnerability is discovered.
Furthermore, they can write a fix for the vulnerability, perhaps in consultation with the original authors or other technically adept users of the product. This fix can then be __________________________________ OPENSOURCE IN THEENTERPRISE 161 ឣ
examined and audited, in turn, by the larger user community. This achieves the twin aims of peer review and full disclosure by which systems are ratified, advanced and secured.
Such full and open discussion of security models does generate a lot of traffic in security forums on the subject of vulnerabilities, which may be misinterpreted by the casual (or in some cases disingenuous) observer as evidence for Open Source software’s inherent insecurity. On the contrary, such healthy and rapid-fire analysis and discussion is what keeps Open Source software consistently ahead of the curve in terms of security. With proprietary software, undisclosed vulnerabilities can exist for months or even years, and even fixes for known vulnerabilities are often issued less promptly than they could be. Open Source software, especially software that is freely distributed such as the Linux kernel and the GNU operating system of which it usually forms a part, often has a patch for a vulnera- bility available in conjunction with the initial announcement of said vulnerability.
Much has been said recently about the ‘total cost of ownership’ of Open Source systems. Some of the claims levelled against them are that they require highly-trained people to configure and manage them, are inherently complex and are incompatible with some commercial vendors’ offerings. The fact of the matter is that system security rests as much on the people administering the software as it does on the software. Proprietary or otherwise, there is no panacea for all your security concerns, and there is unlikely to be an entirely secure piece of software, ever. Therefore, spending money on software at the expense of people skills is an inherently misguided impulse, especially when the (arguably) most secure software is often available for free (for most free software is Open Source, but the reverse is not true). The compatibility issues often cited are the result of the use of proprietary standards and protocols for the most part, which detract from the overall security of products that use them.
Therefore, Open Source software is often cheaper (or free). You can’t afford to skimp on human resources if you take security seriously, and compatibility issues are a red herring. Weighed up against the very real costs of seat licences, upgrades, deprecated product lines and being at the mercy of the vendor for security updates, Open Source software looks to be the only option for those who are serious about their data.
The Positive Internet Company is the leading Linux-only webhosting company. They have a strong reputation in all aspects of Internet security, intrusion detection and Open Source solutions.
For further information contact: The Positive Internet Company Ltd, 24 Broadway, London W13 0SU. Tel: +44 (0)20 8579 5551; Freephone: (UK only) 0800 316 1006; Fax (UK only) 07020 935 412; Email: [email protected]; Website:
www.positive-internet.com