Open Source Security Professionals

In economic times such as these it is imperative that architects and leads alike look beyond the glossy software catalog and instead to the web. In the past we often discounted open source as unsupported and hacker-like in the development efforts. One would hope that in this day of enterprise open source powering the majority of web applications that we could back away from the mantra of yesteryear.

The argument often heard in corporate America is without a company backing it, how can you trust the source of the code? In the same bated breath they will speak to Microsoft and Oracle as pristine trophy holders of American Ideals. In this global economy and 24×7 development cycle there is very little code still developed stateside only. The pond and time zone allow for rapid development cycles and releases. It is ignorant to think that Microsoft’s code is not spattered with code developed in foreign countries. The bazaar development paradigm has extended well upon the weird GNU hackers in their basements, even Microsoft and other commercial entities have opened the doors to this development process.

As security professionals we must be the voice of reason. Most commonly it is our doorstep the argument falls on. The corporate IT groups and managers look to our nod for successful deployment. We owe it to ourselves and the industry to take a dispassionate review of all products and benchmark them against the same criteria we would any product. It is tempting give the source code availability as a pro for deployment, but it is important to pull away from this position. When is the last time you performed a code audit of one of the multiple open source products you are employing?

Rather utilize the larger establishment for verification of your position. DoD, DISA, NSA, and US-Cert are all running open source code reviews. A quick US-CERT search for vulnerabilities will yield many open source tools with results. There is no discrimination against closed and open source models in their review of security. When we as a professional organization remove the zealotry and religious-esqe view of products we can then pick the right tool for the job.

For those of us with a foot on each side of the court reviewing products for both security and IT lifecycles the key will be very simply supporting open standards. Opening the selection process to any tool that supports open, documented standards allows the battlefield to be level. It is unrealistic to compare the merits of Apache’s ASP support to IIS and expect useful results. Likewise it is unrealistic to compare 7za compression formats to WinZip and ding 7za for utilizing a proprietary format.