is that you are depending on the good will of the larger community for everything, but that's not true," said Stein, whose department maintains support contracts with Red Hat and Novell.
There are reasons for the misperceptions. Open source is an underground development, and was, for quite some time, a tinker's toy. At the same time, because the code is free, some assume its use is a free-for-all, with managers left to their own devices when it comes to patches and upgrades.
Today's open source community says otherwise. With a combination of vendor support, and an active base of users eager to share information, help seems to be readily available.
Wells gets support from Sugar CRM and a user community whose patches and changes are first vetted by Sugar CRM technicians before being widely released. It's one of the things Wells likes best about open source.
"This way you have the opportunity to engage in that discussion," he said, rather than just watch for patches as new threats evolve.
"The opportunity for response may be quicker," Wells said of relying on community support. "The releases you see for open source are more frequent, and there is maybe a greater sense of pride in work, pride in ownership."
This enthusiasm for open source products' communal nature is commonly heard, but some say the dependence upon homegrown patches comes with its own set of risks.
Shoemaker puts it this way: Suppose a user in the broader community crafts a patch for some new nasty. Now suppose another user distributes a patch for some other piece of malware. Now suppose those two patches can't play nicely together.
"Now your machine doesn't work because one patch doesn't work right with someone else's patch," Shoemaker said, adding that his solution is to go with a proprietary, corporate-sponsored version of Linux, such as a version supported by IBM, and to get patches only from the vendor. "That would be the only way I would feel comfortable with it."
Another alternative would be to turn to proven, recognized open source tools designed with security in mind.
"Snort is a well known intrusion detection system that enables organizations to detect attempted security attacks and stop them," Golden said. "Because these applications are free, governmental agencies can, without trying to scare up budget dollars and without going through extended budget cycles, put protective mechanisms into place to secure sensitive applications and data."
Finally there's always the possibility of an upgrade.
Developed in conjunction with the National Security Agency, Security Enhanced Linux delivers security in the form of mandatory access control. In essence, an administrator can dictate which functions programs can perform. Thus, if a virus reaches an application, an administrator can curtail the damage by limiting full functionality of that application.
On the Radar
Ironically it may be the very success of Linux that has led to its newfound position as target du jour.
"As soon as a platform starts becoming more popular, viruses and other malicious programs for this platform will begin to appear," Kaspersky reported. "Of course, software developers issue patches for known vulnerabilities, but this results in virus writers searching for new methods and weak spots to attack. Overall, malware gains momentum in a snowball-like fashion."
For Linux and open source users in government and elsewhere, that means the worst may be yet to come.
"It was inevitable that these kinds of attacks would be launched toward open source operating systems like Linux," Golden said. "Hackers focus on large targets. As open source has grown, it presents a larger opportunity."
Some say the operating system's openness invites abuse by offering hackers direct access to the guts of the system. But open source proponents say just the opposite is true. A proprietary system hasn't stopped Windows hackers, they note. Moreover, the financial logic of open source may make it especially compelling for cash-strapped government users.
"Since the software is available at no cost," Golden said, "there is never any danger of security fixes being unavailable because software maintenance fees have not been paid or, even worse, software maintenance support being skipped due to budgetary pressures."