Guest editorial by Emma McGrattan
In the current economic climate, businesses of every size are looking to reduce their spending wherever possible. Open source software, which has no upfront licensing fees, is one way of achieving significant savings.
However, in order to protect their enormous revenue streams, large software corporations have invested millions in spreading fear, uncertainty, and doubt (FUD) about the security of open source software. In this post, I will examine and debunk five commonly held myths about open source security and why large corporations are promoting a "fear factor" mentality around open source software.
Myth 1 - Providing access to the source code makes open source vulnerable
A common misunderstanding is that open source software is more vulnerable to exploitation than closed source software simply because code that is visible is more likely to be hacked. In reality most software vulnerabilities are uncovered through reverse engineering rather than reading through source code. No list of commonly exploited software would be complete without mention of closed-source products from Microsoft, IBM, Oracle, Sun, CA, Norton, and McAfee which belies the myth of security through obscurity.
Myth 2 - Open source is unregulated so anyone can compromise the code
Some opponents of open source propagate the myth that anyone can access and change open source code, which makes it unsecured and unreliable. Yet, the truth is that access to open source code repositories is strictly controlled. Source code changes go through rigorous peer review, as well as acceptance and regression testing before they may be committed to the project. In the open source meritocracy a developer must earn the right to submit code to a project directly, and even then no code is accepted without peer review and approval.
Myth 3 - Open source does not follow best practices for reporting and addressing security vulnerabilities
This myth keeps many companies away from open source, but it is useful to distinguish between the community that surrounds and supports many open source projects and the support that customers purchase from professional open source software providers. Such providers offer enterprise grade support and follow industry best practices regarding the disclosure and patching of security vulnerabilities.
Myth 4 - Open source does not provide the security features demanded by the enterprise
Maybe this was a fair comment when Linux and Apache were in their infancy, but open source has matured and open source products include the features required to secure even the most sensitive deployments. Open source solutions from companies like Red Hat and Ingres include sophisticated security features such as encryption, security auditing, role separation and discretionary access control and are deployed in instances where national security is at stake.
Myth 5 - The use of open source requires that IT define a separate set of security policies and procedures which increases cost and complexity
Opponents of open source would have you believe that any cost savings achieved through the use of open source are offset by the fact that a whole new set of policies and procedures must be defined before open source can be deployed in the enterprise. The reality of the situation is that the same set of principles applies to securing the enterprise whether using open or closed source products. Examples include keeping all software up to date and applying the latest security patches; enforcing a strong password policy; removing unused and guest accounts; using intrusion prevention and intrusion detection software to prevent and detect attack; deploying anti-virus and malware detection software.
The open source market has evolved and grown to a point where many customers do not see a software purchase as being a choice between open and closed, but a question of which product meets their needs, will deliver the best performance, and receive the best support. The realization that open source is not only a viable option for large enterprises and small businesses alike, but a real threat to their bottom line, has resulted in large commercial software companies focusing on discrediting the security aspects of open source development and open source products.
We have certainly learned just by watching the world at large that those who promote fear and foreboding do so to promote their own political or personal agenda, and ultimately to try and control the end result to their benefit. We will continue to see the promotion of this “fear factor” around open source by proprietary vendors in hopes that organizations will stay away and that innovation will be kept locked behind closed doors, moving forward only when the big guns say it is OK. The bottom line is this. Open source is a threat – to the bottom line and gold lined pockets of every closed source software provider across the world.
* Emma McGrattan is senior vice president of engineering at Ingres and a member of the board of directors for the Eclipse Foundation. Born in Ireland, Emma earned a Bachelor of Electronic Engineering from Dublin City University.