In 2003 Sreenivasa Rao Vadalasetty helped write a report for the SANS Institute that was titled “Security Concerns in Using Open Source Software for Enterprise Requirements.” To some that title today is almost laughable.
The report stated: “Though the open source has potential to be more secure than its closed source counterpart, it should not be taken for granted that open source is more secure because there are some constraining factors. Despite the fact that the source code is available for everyone, several vulnerabilities in open source remain undiscovered ....”
In a survey done by Black Duck Software last year, the findings showed that use of open source software has increased. The survey, which analyzed input from a record 1,300 C-suite and senior IT professionals, shows that 78 percent of respondents said their companies run at least part of their operations on open source – a number that has doubled since 2010.
“We’ve come a long way since then. It’s clear that open source has become the default base for software development, infiltrating almost every facet of the modern enterprise and outperforming proprietary packages on quality, cost, customization and security,” said Paul Santinelli, general partner at North Bridge, which partnered with Black Duck on the survey.
The survey goes on to say that 55 percent noted that open source delivers superior security.
“Open source security products have been used for more than two decades. Let's take Snort, for example. Released in 1998 and used for IDS/IPS by some of our own governments three-letter organizations. OSS originally got a bad rap for poor security due to proprietary software vendors FUD tactics. Many companies have come to realize that more patches fixing security are released for OSS than most proprietary products. Why? The size of the community in any given project, agile processes and the need to act quickly to resolve any issues. Proprietary vendors still have a lock on finance and [human resource] applications... but that could be the next area for innovation in open source software,” he added.
Michael Taylor, applications and product development lead at Rook Security, said the open source community has consistently created excellent tools for both general and security purposes. “The reason these tools have been successful is that they are created in the open, so there is no mystery behind what the code is actually doing. This allows each user to determine for themselves whether they are comfortable with the actions of the tools,” he said.
Additionally, he said, the user gets to be involved in the development process through the creation of additional features, bug reports, and code review of the projects. This community involvement greatly increases the population of testers and code reviewers.
Sign up for CIO Asia eNewsletters.