The US Pentagon is set to make a major investment in open source software, if section 886 of the National Defense Authorization Act for Fiscal Year 2018 is passed. The section acknowledges the use of open source software, therelease of source code into public repositories, and a competition to inspire work with open source that supports the mission of the Department of Defense. IT security experts commented below.
Cesare Garlati, Chief Security Strategist at the prpl Foundation:
“More and more organisations choose open source software not because of cost considerations but to maintain control of the overall technology strategy, so it’s encouraging that the Pentagon is realising the benefits. Compare thecode creation and maintenance processes of these commercial entities to more eyeballs on a typical piece of open source software and it’s easy to see why many regard the open approach as the preferred path to stable, secure code.
“Too often with proprietary software, features are added or removed according to commercial imperatives, internal politics or other corporate dynamics rather than the best interests of the software and users. In open source, it’s all about doing what’s best for the software and the end-user community. There’s a clean, clear, Darwinist logic at play in the open source community where only the best code survives.
“However, there has long been a stigma attached to it that open source software means it’s free, but that is not necessarily the case. To get the best out of open source, it requires skilled professionals and developers as well as global, interoperable standards. They effectively allow firms to outsource the trickiest work to the subject matter experts. These experts create the most secure standards and frameworks possible for designers to follow.”
Javvad Malik, Security Advocate at AlienVault:
“The arguments for and against the use of open-source software are long-standing. While licence costs are eliminated by using open source software, it doesn’t eliminate the associated costs of support, maintenance, and hardware requirements. In the big scheme of things, the license cost may be insignificant in some instances.
The second widely-debated aspect is the security. The general consensus is that open source software may be more secure because there are more chances for researchers to discover flaws. However, as we saw with OpenSSH and similar, that is not always the case.
Ultimately, it comes down to individual companies, its risk appetite, and financial requirements. There is no one approach that would suit all scenario’s, but care must be taken to not switch on the basis of false promises.”
Tim Erlin, VP at Tripwire:
“While public discussions about open source often turn to security, the reality is that most organizations make the choice between open and closed source software based on cost. Most open source software is free to use, and most closed source software is purchased. While it might seem clear that open source is less expensive, it often comes with increased requirements for staff and skills. Filling in the gaps in enterprise deployment of open source is the founding principle behind successful companies like Red Hat and Sourcefire.
While the principle that open source is more secure because the code is transparent makes sense, it’s not always reality. In order to reap benefits from that transparency, someone has to actually spend the time and effort to examine the code. Popular open source projects have plenty of resources looking at the code, but less well known projects may not.
Neither open or closed source software is a panacea. There are benefits and drawbacks to both approaches. A balanced, rational process for choosing between open and closed source solutions is the best strategy.”
Mel Llaguno, Open Source Solutions Manager at Synopsys:
“OSS is now a national security concern. The challenge to secure it is becoming evermore paramount for the community.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.