As a journalist at iTnews:
A two-year-old piece of Open Source code is likely to have far fewer security flaws than proprietary code, according to security expert Bruce Schneier.
Now, at a time when Open Source is gaining momentum in Australia, Schneier’s perspective could contribute to increased uptake in the enterprise, education and government sectors.
The recent Australian Open Source Industry & Community Report portrayed a ‘very strong’, ‘rapidly growing’ local market for Open Source in both private and public sectors.
Produced by Open Source consulting firm Waugh Partners, the census listed property and business, education, health, retail and government as industries that are most serviced by Open Source currently.
Sixty-one percent of census respondents were found to service organisations of 200 or more employees, suggesting that Open Source now reaches beyond small-to-medium enterprises (SMEs), to larger organisations.
However, the report highlighted ‘lingering misconceptions’ about the availability of Open Source vendor support, which could contribute to slow commercial and government uptake of Open Source solutions in Australia.
According to Renee Hoareau, who is the Executive Officer of the Victorian Information Technology Teachers Association (VITTA), a lack of suitably-skilled network administrators has hindered the uptake of Open Source in schools.
“This is something the open source industry really needs to address,” she told iTnews. “More affordable training and certification for school network technicians is required.”
Skills shortage aside, however, Hoareau expects there to be ‘no technical reason’ why Open Source would be unsuitable for schools -- especially since Open Source software forms the basis of mission-critical environments in international companies such as Yahoo and Amazon.
Still, the security of Open Source software has been a talking point for some organisations in the past.
A report published last month by security vendor Fortinet suggested that enterprises are underestimating the security risks of eleven popular Open Source applications.
However, according to Hoareau, concerns about the public availability of source code seem to have vanished in the face of simple human management.
“Maintaining a secure environment involves following strict policies and careful procedures,” she said. “The most secure system in the world can be breached by a trusted person being careless with their password or security tokens.”
“Good school network security depends on good network management,” she said. “I would think Open Source applications pose no greater security risk for schools than any other type of software would.”
Russian security vendor, Kaspersky Lab, agrees that Open Source software is unlikely to be any more vulnerable to attacks than its proprietary counterpart.
Although Open Source code allows cybercriminals to find vulnerabilities more easily, vendors and developers are able to identify and fix flaws more easily as well, Kaspersky’s virus analyst Sergey Golovanov said.
To cater to clients who use Open Source operating systems on their servers and workstations, and those employing mixed corporate networks, Kaspersky Lab started developing security solutions for Open Source platforms ‘years ago’, Golovanov told iTnews.
“Obviously, in such a network all nodes have to be protected, so a security company must be able to offer the full range of solutions,” he said. “It is essential that we provide them with adequate protection for their IT infrastructure.”
But while Open Source could be a viable alternative to most proprietary software and applications, the effectiveness of Open Source antivirus and anti-spam programs is ‘a completely different story’, Golovanov said.
“There’s no way these [Open Source antivirus programs] can be effective today,” he said, noting the difference between Open Source programs that allow public access to source code, and free antivirus programs that are offered at no charge.
“The thing is that today antivirus is more a service than a complete product –- any antivirus [program] is almost useless without proper and regular updates. As an example, we provide updates approximately every 30 to 40 minutes, and we have to keep our antivirus labs working 24/7/365.
“And due to the fact that Open Source antivirus [programs] are created and supported by enthusiasts when they have free time, there’s no way an Open Source antivirus [program] can have regular and reliable support,” he said.
Max McLaren, who is the General Manager of Red Hat Australia, sings a different tune.
He highlighted SELinux, which was developed in collaboration with U.S. National Security Agency in 2004, and is distributed with commercial support as part of Red Hat Enterprise Linux version 4 and all future releases.
While it does not perform antivirus tasks per se, SELinux -- or Security-Enhanced Linux -- enforces mandatory access control policies that reduce the ability of user programs and system servers to cause harm when compromised.
SELinux also is aligned with the U.S. Department of Defense’s Trusted Computer System Evaluation Criteria and involves role-based access control (RBAC), mandatory integrity controls and type enforcement architecture.
“We’ve had a number of Australian government organisations choose Red Hat because of that,” McLaren noted.
Currently, Red Hat Enterprise Linux has been adopted in security-critical applications such as: the U.S. Army’s personnel records management system; the U.S. Navy’s IT environment; the IT infrastructure of Italian City of Marsala’s Town Council; and Europcar Australia’s desktop and server environment.
“The perception in the marketplace is that there is a concern about unsupported software,” McLaren said.
“I think customers feel confident [in Red Hat software] when they understand the difference between unsupported and supported Open Source,” he said, adding that Red Hat Enterprise Linux employs the ‘same level’ of testing as proprietary software.
McLaren described similarities between SELinux and Microsoft’s User Account Control infrastructure that has been introduced with Windows Vista, adding that ‘imitation is the best form of flattery’.
But according to Bruce Schneier, Open Source security is so far beyond that of software giant Microsoft that the comparison is moot.
”Comparing the security of Linux with that of Microsoft Windows is not very instructive,” he told iTnews. “Microsoft has done such a terrible job with security that it is not really a fair comparison.”
Echoing the comments of Kaspersky’s Golovanov, Schneier argues that Open Source code often undergoes a far more rigorous evaluation process than proprietary vendors can afford.
Proper evaluation requires the time and expertise of security experts evaluating a piece of code multiple times and from different angles, said Schneier, who is a globally-recognised security technologist and author.
“It's possible to hire this kind of expertise, but it is much cheaper and more effective to let the community at large do this,” he pointed out. “And the best way to make that happen is to publish the source code.”
“There's no reason to believe that open source code is, at the time of its writing, more secure than proprietary code,” he said.
“A two-year-old piece of open source code is likely to have far fewer security flaws than proprietary code, simply because so many of them have been found and fixed over that time.”
But if the industry consensus is that Open Source software is, in fact, secure, then why do public security concerns still exist?
Mani Padisetti, who is the Chief Operating Officer and Director of Open Source services and support provider Digital Armour, pointed a finger of blame at ‘smaller proprietary software manufacturers’ who he expects to be intimidated by the Open Source licensing model.
“There are bigger vendors like Microsoft who are okay with Open Source, but there are also some smaller proprietary software manufacturers that still have the concern that Open Source will kill them, and they don’t want there to be any uptake of Open Source at all,” he said.
"I’ve sat in on a number of meetings where proprietary vendors have said that Open Source is unsupported freeware and not secure, and that’s just not true,” he said.
Digital Armour was founded in 2000 as a Sydney-based IT support and service consultancy that catered to the SME market.
Two years into its business, Digital Armour decided to focus primarily on Open Source systems to better suit customer demands.
‘We have sold support primarily for Open Source systems and have also sold applications that are commercial Open Source,” Padisetti said, adding that Open Source systems often have technological benefits for specific requirements.
