William Jackson | Is open-source software secure or not?
Cybereye'commentary: Feds appear to be of two minds about the security of such software
- By William Jackson
- Nov 26, 2007
Open-source software appears to be moving into the federal mainstream, according to a recent study by the Federal Open Source Alliance. But feds appear to be of two minds about the security of the software.
A majority of agencies surveyed -- 55 percent -- said they had implemented open-source software, and 29 percent of agencies that had not yet done so said they were planning to adopt open-source tools within the next year. The top reason for using such tools? Thirty percent of the respondents said it was the ability to access advanced and multilevel security capabilities.
However, 34 percent of those involved with open-source implementations said security was their biggest challenge, and 40 percent of those who were not using open-source tools listed security as the primary reason.
So is open-source software secure? It depends.
As with many surveys, it is hard to know just how much weight to give this one. The Federal Open Source Alliance is a triad formed by Hewlett-Packard, Intel and Red Hat to promote open-source software in government, so they clearly have an interest in the results. The survey was conducted online with only 218 respondents -- 65 percent civilian, 24 percent Defense Department and 11 percent intelligence community. But the alliance claims it is accurate to within 5.5 percent, with a 90 percent level of confidence.
What are we to make of this split on security? Alliance members, of course, side with the respondents who praised the software's security. Those with doubts about its security 'are either confused or we are not doing a good enough job of education,' said Paul Smith, vice president of government sales operations at Red Hat.
He has a point. The intelligence community, which typically is obsessed with security, is one of the most enthusiastic users of open-source software. Eighty-eight percent of respondents from that sector said their agencies are using it. And as Smith reminds us, it was the National Security Agency that embarked on the program to develop Security-Enhanced Linux, which has been commercialized as Red Hat Enterprise Linux. Version 5 of that operating system has been certified under the Common Criteria at Evaluation Assurance Level 4+ for the Controlled Access Protection Profile, the Labeled Security Protection Profile and the Role-Based Access Control Protection Profile.
That does not mean that open-source software is inherently secure or more secure than proprietary software. As with any software, security and other features depend on the specific tools you are considering. Open-source products offer the convenience of access to source code and the advantage of an almost unlimited community of developers tinkering with and making improvements to them. When a reliable commercial distributor reviews and supports those improvements, the process can produce good results.
Proprietary software, on the other hand, has a company standing behind it ' a throat to choke ' that has a financial interest in the quality of its products and can be required to support them.
As should be abundantly clear to anyone who has sat in front of a computer, neither model is perfect. Human beings make mistakes, and people with malicious intent will find ways to subvert the best efforts of others. In the end, when selecting software, the question to ask is not whether it should be open source or proprietary. The question should be, 'Does this software meet my needs and can I rely on its source?'
If the answer is yes, use it.
William Jackson is freelance writer and the author of the CyberEye blog.