In a SearchOpenSource.com article, writer Andrew Bardin Williams seeks an answer on whether open source solutions are secure enough for government IT infrastructure.
Gartner Analyst John Pescatore told Williams, "There is a myth out there that because the bad guys see the code, there are more vulnerabilities."
Pescatore believes that many open source solutions are more secure than closed source solutions and may even be a better fit in the government sector. He continued, "...the truth is that the better predictor of robust code is whether security was a top priority during the development cycle or just an afterthought."
In assessing security, many governments use the Evaluation Assurance Level (EAL) certification of the Common Criteria security specification to evaluate products on security standards agreed upon by North American and European governments. This certification is used to separate products that have demonstrated their security, as audited by expert third parties, from those products that cannot or have not attained the certification. Common Criteria evaluation standards are accepted by over 22 different countries.
Sun's open source operating system, SolarisTM Operating System (Solaris OS), has achieved an EAL 4+ certification, as has Novell's Linux platform.
The United States federal government also uses security benchmarks to evaluate solutions that usually go through the National Information Assurance Partnership (NIAP), an organization under the National Security Agency (NSA). NIAP seeks to maintain security standards in IT systems used by the federal government. Unfortunately, going through NIAP can be expensive. According to Pescatore, many smaller vendors are unable to finance such testing and either have to team with larger vendors to have their solutions tested or completely pass on receiving these benchmark results.
Government agencies using open source solutions can benefit from the broad user community in the commercial space committed to maintaining security. These user communities like OpenSolaris.org are always testing the software, developing fixes and sharing patches.
OpenSolaris.org is a community of developers using the open Solaris OS and is said to have 11,000 members of which only 1,000 are Sun employees. When a security flaw is identified, these users have a vested interest in finding a quick solution. For governmental agencies using the platform, the OpenSolaris.org's resources can be used to their benefit. Rather than spending time and money developing their own patches or relying on vendors, governmental agencies can look to the community for solutions. Once a patch is developed, usually the open source vendor agrees to support it and incorporate it into subsequent releases.
"Bugs are getting fixed in record time because of open source, so there is now an architecture argument in favor of open source security," said Alan Kraft, vice president of the federal group for Novell. More quickly deployed patches mean a shorter period in which a government agency is vulnerable to attack.
"When it comes to the government sector we need to be aware of what is in the best interest of the public," Kraft said. "The fact is that open source, and the community that supports it, may be better suited in government."
A state agency that has taken advantage of the open source alternative is the Department of Human Services (DHS) for the state of Oregon. Dennis Wells, the policy and planning manager for the office of information services for the state of Oregon, said he needed a customer relationship management (CRM) solution so Oregon DHS could better track the more than one million residents who use the state's services each year.
"I wasn't really concerned with open source versus closed source. I decided to just look at all the alternatives," Wells told Williams.
SugarCRM, an open source application that was customizable, was selected. Wells was satisfied that SugarCRM had proven that its software was just as robust and as stable as any other solution he evaluated. Once he received approval from Oregon's IT department for security and business process requirements, Wells downloaded and installed the open source solution for free in less than ten minutes.
In Pescatore's opinion, since security is no longer an issue when deciding whether to use open or closed source solutions, purchasing decisions can be based primarily on functionality and price. He concludes that the security argument against open source is a dead issue.
Read More ...