6 tips for adopting open source

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By David Egts
 

Connecting state and local government leaders

By David Egts

|

Introducing open source code doesn’t have to be an intimidating process. But ensuring security is key.

Open source code drives collaborative innovation from a larger pool of developers at a lower cost, which is why federal agencies are adopting the “open source first” model. In fact Sonny Hashmi, CIO of the General Services Administration, recently announced that implementing open source software is among his top priorities this year.

So what’s the best way to increase your agency’s adoption of open source software and keep it secure? Here are six tips to get you there:

1. Standardize on a common platform.

Imagine the Army telling new recruits to stop by the gun store on the way to boot camp and pick out whichever rifle they want. You can picture the chaos that would ensue in training consistency, interoperability and logistics.

The same principle can be applied when designing a data center. Most developers want the latest tools at their disposal, but this desire conflicts with the goals of operations teams who want to provide a consistent, standardized, stable and secure foundation to build upon.  

For example, the use of Software Collections, a repository of  enterprise Linux tools, benefits both teams by providing the latest stable databases, development tools and programming languages that make developers happy, while packaging them in a consistent, standardized, stable and secure way that improves function and efficiency for operations teams.

2. Use systems management tools to automate your success.

Once you’ve standardized, you can automate. Systems management tools will transform a data center from an artisan workshop to a high-output IT factory. By attaching standard systems to a centralized management tool, a common dashboard will show the status of systems in real time and if security patches or bug fixes are needed. Just like the operations control in a large factory, these tools can ensure a data center factory is humming along for its end users.

3. Use SCAP for continuous monitoring of your datacenter's security posture.

So, you just installed some open source software. How do you properly secure it? Fortunately, the Security Content Automation Protocol (SCAP) transformed security policy from human-interpreted prose to machine readable, unambiguous XML. In the past, SCAP scanners were only available from proprietary companies. Today, open source tools like OpenSCAP are freely available, built into many operating systems and certified by the National Institute of Standards and Technology. By combining OpenSCAP with systems management tools, IT pros can run large-scale automated scans frequently, ensuring the efficiency and security of the data center.

4. Master navigation of vendor vulnerability databases and tools to minimize vulnerability windows.

When a data center is vulnerable to security flaws, the window of attack needs to be patched immediately. The best way to do so is to choose software that is officially compatible with CVE, the set of standard identifiers for publicly known security vulnerabilities and exposures.

When a vulnerability is recognized, it’s assigned a CVE number. This gives multiple vendors a single identifier to determine their vulnerability in a consistent and measurable way. Many open source projects and communities don’t consistently track against CVEs, but several companies who commercialize these projects do, so choose wisely.

In addition to tracking the CVEs, admins can use OpenSCAP to do vulnerability scans. OpenSCAP can use Open Vulnerability and Assessment Language (OVAL) content to scan systems for known vulnerabilities where remediation is available. The trick is to ensure your chosen vendors provide OVAL content consistently, so again, choose wisely.

5. Use government-certified software.

Just because code is open source doesn’t mean it’s not government certified. Just like commercially supported proprietary software, commercially supported open source software may also meet government certifications like the FIPS 140 cryptographic standards and Common Criteria.

If your team is writing their own cryptography, please tell them to stop. Not only will they need to take the code through a lengthy and expensive certification process, their code is probably not as secure as something that has been scrutinized by the public and certified by labs for years.

Using FIPS-certified cryptography libraries to write your applications eliminates the need to obtain a FIPS-certification yourself. Certified cryptography libraries let developers stand on the shoulders of the giants who already did the certification work.

6. Have a vendor at your side.

Ask 10 Linux administrators a question, and you’ll probably get 11 answers. Maybe 12. Which one’s right? The problem is even worse when doing web searches for issues, and some answers may actually do more harm than good.

By working with commercial vendors, you’re not only benefitting from their product knowledge, but you’re also benefiting from their experience with other customers who may have already solved the same problem you’re encountering.  Also, when it comes to open source, you can get features added to a project yourself, but that takes time, effort and influence. By working with a vendor who is a contributor to the open source community, your voice can be amplified and change can result faster.

With these tips, introducing open source code doesn’t have to be an intimidating process. Open source software can be just as secure as proprietary software, with far greater benefits. The reduced cost and collaborative nature of the software allows for faster and more substantial innovation, resulting in improved efficiency agencywide. 

NEXT STORY: DHS eyes next-generation biometric matching technologies

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.