In Inc.'s January 2005 article Open Source: It's Not Just for Geeks Anymore!, Al Canton wrote: "No one is quite sure how to define fire, but everyone knows what it is. Open source software is the same. Like fire, we know what open source does, we know what open source looks like, and we know it when we see it, but no one agrees on a definition."
I think that perception has changed, and in January 2010 we published California IT Policy Letter 10-01, which formally establishes "the use of open source software (OSS) in California state government as an acceptable practice." I was surprised by the attention the policy received. While most of it was complimentary and supportive, there were a few warnings that reminded me of the ancient maritime maps that depicted dragons in uncharted waters under the legend: "Here be dragons."
As a security guy, I've seen the good and bad of OSS and have concluded that anyone who doesn't think OSS has a place in today's business or government simply hasn't been paying attention. While integrating OSS into an organization should never be a casual decision, the choice to adopt an OSS policy should be made based on issues, such as business need, reliability, ease-of-use, return on investment and yes, security. Being too cavalier is certainly hazardous, but just like when considering a commercial-off-the-shelf (COTS) product, it's important to take a risk-based approach and do your appropriate due diligence.
Although not too many people would say that COTS shouldn't be part of our IT environment, I think it's time to acknowledge the OSS elephant in the room. We need COTS, but should all COTS software be trusted because it comes with a license from a reputable vendor? I don't think so. Consider the regular (and irregular) patch cycles you go through every month before answering that question. Have you ever considered the resource cost to complete your monthly operating system and application patch updates? Is there any question that a Linux operating system, Firefox Web browser or Apache Web server are mature products delivering real value? Of course not! In fact, they're the de facto standards in many organizations. Additionally there are dozens of excellent OSS security tools that many organizations depend on to monitor and identify vulnerabilities within their IT environments. Snort, Nagios, Metasploit, OpenSSH, PuTTY, Nmap and Wireshark are some of the OSS security gold standards, but there are many others.
Over time, the open source community has proven to be somewhat self-policing, where the best products get adopted and widely used, while the stuff that doesn't meet standards gets a well deserved funeral. It seems to me that thousands of developers and hackers beating up on open source code is an efficient and transparent way of identifying software bugs and vulnerabilities. When the code is available to the public and people can identify, comment and document problems, things get fixed more quickly - kind of like software market Darwinism where only the strongest code survives.
There are plenty of arguments against using OSS, including the "there's no guarantee of future support" hymn, but how many hours have you spent on hold with some clueless support tech trying to translate a script he or she doesn't understand? At least with the open source community, you have access to worldwide support available almost any time of day and it's typically free. So while there are some criticisms, there's also a lot of valid business rationale for using OSS.
In these challenging economic times, we all must be on the lookout for efficiencies and savings, and OSS is a logical and realistic option. While not obviating the need to determine our own security risks, when large organizations like the Department of Defense make policy decisions to use OSS, we might be a little irrational by saying we're too different or too important to consider the same thing. Given the option of spending a lot of money and locking into a long-term commitment with a vendor, in many cases the rational decision may be the cheapest decision and that might just be OSS.
Mark Weatherford is the director and chief information security officer (CISO) of California's Office of Information Security. He previously served as Colorado's CISO.