“We have used many different open source tools for security and in day-to-day activities. Most of the population has likely used open source items in one form or another, such as cell phones, operating systems within their cars or other home devices, and many other embedded systems. The security around these platforms is often components from different open source projects. An example is the embedded Linux system in a car would have security components that would be seen in a production web server,” Taylor said.
Many tools that are open sourced are more readily usable than the closed source alternatives. The visibility of how the code works allows an end user the ability to quickly integrate the open source tool into existing systems. “When we are examining potential new tools, selecting an open source project which satisfies our needs is typically a better option than the alternatives. This is because we are able to rapidly deploy an open source tool without making a financial commitment to another company. It also lets us determine a proof of concept for using the new project,” he said.
Rook Security uses SNORT and Suricata for network monitoring, Elasticsearch as a database solution to handle many types of data, and OpenSSH for connecting securely to a host using strong encryption and authentication methods.
Bill Weinberg, who is senior director and analyst of open source strategy at the Linux Foundation, said open source software is deployed in nearly every aspect of enterprise infrastructure and across enterprise networks “to a degree unimaginable just a few years ago”.
He cited a Gartner report that found an average 29 percent of enterprise software stacks are comprised of open source software, with best-in-class organizations utilizing up to 80 percent open source in their portfolios, freeing funds and resources to develop, acquire and deploy commercial/proprietary code for the most differentiating and/or business-critical functions.
When asked if open source is secure for every corner of the enterprise network, he said, “The issue isn’t whether open source is secure enough for PII - it’s whether the systems processing PII are in sufficiently secure. The whole networks and the apps that run on them, which are today a heady mixture of proprietary and open source code.”
“We are entering a ‘post proprietary’ era where it is basically impossible to build and deploy applications without some integration of open source software. This phenomenon extends to the enterprise desktop to enterprise data center applications to the cloud and of course to mobile/embedded,” he said.
Finance and human resources, while handling highly proprietary and sensitive information, are not immune to the benefits of deploying on and with open source, Weinberg said. “On premises, HR and Financial apps run on Linux and integrate a range of open source libraries and middleware,” he said.
Sign up for CIO Asia eNewsletters.