January 16, 2003

Open Source Security: Better Protection at a Lower Cost

Steve Schlesinger, Astaro Corp.

At first glance, the idea of using open source software for a firewall or other security application seems counterintuitive, even absurd. Why would a corporation use code that's available to anyone - hackers, cyber-terrorists, disgruntled employees - to protect their most vital information assets? Yet that's what's happening at places like Stanford University, EDS, and Los Alamos National Labs, to name but a few of the many organizations using open source security software.

What do these people know that the Wintel world doesn't? That, when properly implemented, open source products are more affordable and more secure than closed proprietary systems. In other words, an open source security suite can keep data safer while saving companies money.

Let's examine these claims in more detail.

Open source is more affordable. Open source security suites cost far less than closed systems because development expenses are radically lower. At Astaro, the company where I serve as general manager, the cost of integrating open source tools into a comprehensive security suite is roughly one-fifth that of creating such tools from scratch. These Linux-based apps generally have lower hardware and training requirements as well, further slashing costs.

An April 2002 study by Cybersource Pty. Ltd. compared the total cost of ownership for open source platforms versus Microsoft Windows systems, factoring in hardware, software, training, and support costs. Their conclusion? Open source software could save a medium-sized business more than 34 percent over three years.

The lower cost leads to greater security, especially for companies who lack the big IT budgets of Fortune 500 corporations but whose security needs are every bit as real. These smaller companies can't afford to protect every asset, so they play Russian roulette every day and focus on what they think are the most vital and vulnerable ones. Given the lower costs of open source, more company assets can be included within the security umbrella. More importantly, it frees up firms to spend money in areas that are often neglected - such as educating end users on how to implement best practices - that have a greater long-term payoff.

Open source is more secure. The security of open source code is a matter of intense debate, which was fueled even more by the recent discovery of security flaws in the widely used Apache Web Server software and OpenSSL protocols.

The fact is that no piece of code, open source or proprietary, is 100 percent secure. But thanks to the process of broad, continuous peer review, open source code is less likely to suffer flaws. According to a study by Forrester Research in August 2000, IT managers cited security concerns as their number one reason for switching to open source software.

The approach of 'security through obscurity' used by closed source software doesn't work as well, in large part because proprietary code is obscure only to those who would might otherwise be inclined to find and fix the flaws.

"Sophisticated hackers don't need your source code to find security problems," notes security researcher John Viega in a September 1999 paper. "Hackers can observe program behavior, analyze your binary, and even run your program through a decompiler to get a reasonable replica of your source code. But even if they get in, you won't gain from the "many eyeballs" phenomenon?. By taking away the source code, you make the program harder for people to analyze, and thus they are less likely to help you improve your product."

Open source gets fixed faster. When security holes are discovered, they're patched much more quickly with open source than with proprietary software. For example, repairs for the Apache flaw were available within two days of the hole's discovery. Compare that to the typical lag time for, say, a certain leading operating systems vendor to issue a software patch.

In security, rapid response is everything.

A SecurityPortal study published in January 2000 found that open-source vendor Red Hat took an average of just over 11 days to patch a bug in its Linux OS. By contrast, Microsoft took 16 days to fix flaws in its software, while Sun customers had to wait nearly three months for solutions.

Open source is simply better. Thanks to peer review, open source software undergoes a process of continuous improvement and frequent updates. Unlike with proprietary software vendors, customers won't have to wait months or years for a new version to roll out. This ultimately leads to a more reliable, higher quality product.

When Microsoft released Windows 2000 in February 2000 the code contained more than 63,000 defects, according to an internal Microsoft memo. In May 2001, Lansing, Michigan-based insurance firm J.S.Wurzler Underwriting announced it would raise its premiums up to 15 percent for companies that relied on Windows NT on their Internet servers. The reason? The underwriters found that clients using NT were more susceptible to hacking and other attacks than those who employed open source security products.

The open source model also lends itself to more vigorous and timely after-sale support from an active community of users, which in turn lowers the cost of support-once again saving companies money.

Integration is key. While open source programs are traditionally available for little or no licensing fee, simply cobbling together a series of firewalls, intrusion detectors, anti-virus utilities, and other security apps may actually be more expensive and less secure in the long run. For one thing, network admins must master a different interface for each app, which means companies will spend more time and money training them. And the need to continually patch each app individually greatly increases the odds of missing an update vital to the app's security-thus making data more vulnerable.

An integrated approach -- one that takes the best open source apps and integrates them via a single interface -- offers the best of both worlds. The benefits are many: Administrators will have only one interface to learn, one set of updates to install, and one contact to call when they need help. And they'll have that active community of Linux diehards helping to make them more secure.

Bottom line. Top-notch data security doesn't have to come at a premium price. Open source tools are already protecting the networks of thousands of corporations and organizations around the world, and doing it better and for a lot less than proprietary solutions.

Steve Schlesinger was most recently vice president, corporate development, at SoundBite Communications. He was previously at Workgroup Technology and at Easel Corp. Contact him at sschlesinger@astaro.com


Forrester study

Cybersource study (pdf)

The Viega paper originally appeared here,and is now cached here.

SecurityPortal report

ZDnet story on win2k bugs

News.com Story on Win NT insurance


  • Security
Click Here!