Open source and the 'fear factor' mentality

Open source and the 'fear factor' mentality

Summary: Guest editorial by Emma McGrattanIn the current economic climate, businesses of every size are looking to reduce their spending wherever possible. Open source software, which has no upfront licensing fees, is one way of achieving significant savings.

SHARE:

Guest editorial by Emma McGrattan

How Closed Source Vendors Promote the “Fear Factor” around Open Source SecurityIn the current economic climate, businesses of every size are looking to reduce their spending wherever possible. Open source software, which has no upfront licensing fees, is one way of achieving significant savings.

However, in order to protect their enormous revenue streams, large software corporations have invested millions in spreading fear, uncertainty, and doubt (FUD) about the security of open source software. In this post, I will examine and debunk five commonly held myths about open source security and why large corporations are promoting a "fear factor" mentality around open source software.

Myth 1 - Providing access to the source code makes open source vulnerable

A common misunderstanding is that open source software is more vulnerable to exploitation than closed source software simply because code that is visible is more likely to be hacked.  In reality most software vulnerabilities are uncovered through reverse engineering rather than reading through source code. No list of commonly exploited software would be complete without mention of closed-source products from Microsoft, IBM, Oracle, Sun, CA, Norton, and McAfee which belies the myth of security through obscurity.

Myth 2 - Open source is unregulated so anyone can compromise the code

Some opponents of open source propagate the myth that anyone can access and change open source code, which makes it unsecured and unreliable. Yet, the truth is that access to open source code repositories is strictly controlled. Source code changes go through rigorous peer review, as well as acceptance and regression testing before they may be committed to the project.  In the open source meritocracy a developer must earn the right to submit code to a project directly, and even then no code is accepted without peer review and approval.

Myth 3 - Open source does not follow best practices for reporting and addressing security vulnerabilities

This myth keeps many companies away from open source, but it is useful to distinguish between the community that surrounds and supports many open source projects and the support that customers purchase from professional open source software providers. Such providers offer enterprise grade support and follow industry best practices regarding the disclosure and patching of security vulnerabilities.

Myth 4 - Open source does not provide the security features demanded by the enterprise

Maybe this was a fair comment when Linux and Apache were in their infancy, but open source has matured and open source products include the features required to secure even the most sensitive deployments. Open source solutions from companies like Red Hat and Ingres include sophisticated security features such as encryption, security auditing, role separation and discretionary access control and are deployed in instances where national security is at stake.

Myth 5 - The use of open source requires that IT define a separate set of security policies and procedures which increases cost and complexity

Opponents of open source would have you believe that any cost savings achieved through the use of open source are offset by the fact that a whole new set of policies and procedures must be defined before open source can be deployed in the enterprise. The reality of the situation is that the same set of principles applies to securing the enterprise whether using open or closed source products. Examples include keeping all software up to date and applying the latest security patches; enforcing a strong password policy; removing unused and guest accounts; using intrusion prevention and intrusion detection software to prevent and detect attack; deploying anti-virus and malware detection software.

Summary

The open source market has evolved and grown to a point where many customers do not see a software purchase as being a choice between open and closed, but a question of which product meets their needs, will deliver the best performance, and receive the best support.  The realization that open source is not only a viable option for large enterprises and small businesses alike, but a real threat to their bottom line, has resulted in large commercial software companies focusing on discrediting the security aspects of open source development and open source products.

We have certainly learned just by watching the world at large that those who promote fear and foreboding do so to promote their own political or personal agenda, and ultimately to try and control the end result to their benefit. We will continue to see the promotion of this “fear factor” around open source by proprietary vendors in hopes that organizations will stay away and that innovation will be kept locked behind closed doors, moving forward only when the big guns say it is OK. The bottom line is this. Open source is a threat – to the bottom line and gold lined pockets of every closed source software provider across the world.

* Emma McGrattan is senior vice president of engineering at Ingres and a member of the board of directors for the Eclipse Foundation.  Born in Ireland, Emma earned a Bachelor of Electronic Engineering from Dublin City University.

Topics: Software, Open Source, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

58 comments
Log in or register to join the discussion
  • Emma, you're hired!

    nt
    D T Schmitz
    • Proving linux businesses need more employees. ;)

      <i></i>
      xuniL_z
      • Get off your tread mill, you look tired.

        Thanks for the FUD Bud...NOT.
        kozmcrae
      • RE: Proving linux businesses need more employees.

        Not at all - the new employee will merely replace the no-longer-needed closed-source solution employee :-)
        rikasa
  • RE: Open source and the 'fear factor' mentality

    [i]Myth 2 - Open source is unregulated so anyone can compromise the code

    Some opponents of open source propagate the myth that anyone can access and change open source code, which makes it unsecured and unreliable. Yet, the truth is that access to open source code repositories is strictly controlled. Source code changes go through rigorous peer review, as well as acceptance and regression testing before they may be committed to the project. In the open source meritocracy a developer must earn the right to submit code to a project directly, and even then no code is accepted without peer review and approval.[/i]

    This is not a myth, this one was proven to be true. Remember the Gnome servers getting 0wned? Then someone uploaded some code to one of the 'oh so secure' linux distro repositories.
    Loverock Davidson
    • ....

      Look, our resident troll is back! ]:)
      Linux User 147560
    • OK everybody!

      Shut everything down. Open Source doesn't work. Go back to proprietary because they never have any security breaches. How many repositories are we talking about? You site one breach and declare the Open Source model a failure? You must be very disparate... you are disparate.
      kozmcrae
      • don't you mean.. deperate?

        heh
        isulzer
      • He also "forgets"

        The Windows system breach that let a lot of their code out into the wild. Ah well, it was only Redmond.
        zkiwi
      • u got it boy ! who's desperate here..!!

        i think these were the statements made by the open source guys, when they said open source was way bettr then closed...
        carumartins@...
  • Truth number 1

    When it's [i]your[/i] money on the line, do what [i]you[/i] feel is best.

    Everyone is allways willing to say "this'll be great for [i]you[/i]".

    But [u]if[/u] it fails, they're the first ones to say "wow, that really sux for [i][b]you[/b][/i].
    AllKnowingAllSeeing
    • How can you say that?

      Because Open Source has given them a choice. There is no real progress where there isn't choice. Is your ignorance one of malice or the paycheck variety?
      kozmcrae
    • Except...

      Some people get upset when you tell them what worked best for you. People seem to get irate because you chose to use OSS and it worked just fine for you. You're called cheap when its nothing more than good business sense.

      So if people don't want to try OSS even though its been proven all over the place so be it. But why must they bother the people that are smart enough to use it?
      storm14k
      • Because..

        They are jealous. And upset that they wasted so much
        money for no reason.
        Put yourself in their shoes.
        AzuMao
  • And with the blog we got the "up front cost" myth.

    <i>Open source software, which has no upfront licensing fees, is one way of achieving significant savings.</i><br><br>
    Unfortunately for this myth, businesses look at costs over time, not just the "up front" costs. I mean right off, windows licensing is a capital expense. <br><br> Then we see that a Windows server license = 800.00 approx. <br><br>
    Red Hat Support over 5 years = 1750.00. Unless the argument is that most companies do not need the support. In fact they usually need to bolster their staff by at least a few FTEs and/or use Linux contractors heavily at rates that are very exhorbanant.<br><br>
    As for cals, most businesses use the same client for ages. In Gartner and other Vista usage polling many of the companies not moving to Vista are win98 and win2000pro shops (debunking another myth that windows is no good after MS drops windows update support), which demonstrates the average lifespan of a client is somewhere between 7 and 10 years. <br>
    <br>
    There is NO evidence, zero, zip nada, that Linux desktops used in large numbers is cheaper than Windows clients over 10 years. <br><br>
    Another myth to bust is a biggie. The ABM crowd's claim that Vista *sucks*. It's another windows ME technology-wise and otherwise. <br><br> These same people have backed blogs that show Gartner and Klac polling data about the uptake of Vista. They stand behind these polls. However, if they would read them far enough, they would find that of the 30ish% moving to Vista, 89% of the respondants found the value to be *excellent* and far exceeded their expectations. They would definately recomment Vista to other peers. Yeah, they miss that part. You'll find it in the most recent copy of eWeek.
    <br><br>
    xuniL_z
    • Honest questions

      You compared a Windows serveder license to RHEL support. Is support included for a windows server license? I was under the impression support costs extra, though I could be wrong.

      [i]In fact they usually need to bolster their staff by at least a few FTEs and/or use Linux contractors heavily at rates that are very exhorbanant.[/i]
      This is assuming the existing Sysadmins & tech support have inadequate *nix experience/qualification.

      [i]There is NO evidence, zero, zip nada, that Linux desktops used in large numbers is cheaper than Windows clients over 10 years.[/i]
      Well...without meaning to be pedantic - I'm not aware of any evidence to the contrary either. What are you looking for - an ongoing counterexample? (http://ubuntuforums.org/showthread.php?t=866686) How large is "large"?

      And I'm [i]sure[/i] there are open-source solutions other than linux...
      AndyCee
      • I think

        "You compared a Windows serveder license to RHEL support. Is support included for a windows server license?"

        I think 90 days worth is included. After that, yes, it is expensive.
        roaming
    • Many those jumping on OSS ...

      are shocked when they check the billing for service and any non-trivial tweaking of source code, and then realize they are fooled by the myth of being "Free".
      LBiege
      • Researchers say...

        If you wear a lab coat and hold a clip board, people will be more inclined to believe you. But if you blather on in a sensationalist manner, trying to frighten people away with tired old myths, you'll be the source of much laughter in a future business class studying the death of proprietary software.
        kozmcrae
        • so ...

          why don't you get a clip board and a lab coat instead of firing off "death of proprietary software" sensation then?
          LBiege