Posted on 08/18/2012 11:59:23 AM PDT by ShadowAce
One of the biggest lies told about open source is that it's insecure.
In letting just anyone use your code, that has to include the bad guys. They're bound to find a way to compromise it, the thinking goes.
But that's not the way it works in real life. Having every potential victim working on your neighborhood code watch turns out to deliver more security, not less.
Having everyone who might be the victim of an online break-in organized, finding bugs, writing and testing fixes, constantly improving security tools, works.
Don't believe me? Well, maybe you'll believe the National Security Agency or the Department of Homeland Security. The open source process works for them, too.
For a decade, one of the most popular intrusion prevention and detection systems has been Snort, created by Martin Roesch. But the company he built around that software, Sourcefire, only gives away the basic package. If you need extensions, if you want a more complete system, you have to pay. That code is controlled by Sourcefire.
There is nothing unusual in that. Many open-source businesses create free community and paid "enterprise" editions of their software. This is what Red Hat(RHT) is all about -- you can download Fedora Linux free or buy Red Hat Enterprise Linux. In both cases you get to see the code, but with the paid version you get the support needed to run it professionally.
But this model didn't work with Snort. The Department of Homeland Security, the military, and the NSA could not be "held hostage" to Sourcefire for improvements to the code, or for the specialized suite needed to protect the nation.
So the Department of Homeland Security got together with major contractors and formed their own open source project, the Open Information Security Foundation. OISF has its own intrusion system, called Suricata, whose syntax is based on Snort, so if you are accustomed to one you can use the other.
But Suricata will be a complete system, not just a "sniffer," as intrusion detection products are colloquially known. The whole Suricata suite will be open source. This process is now expanding, as I noted here at TheStreet.com on Monday.
In May, the National Security Agency co-hosted an Open Source Security Industry Day at a Johns Hopkins facility in Fort Meade, Md. As ZDNet's Steven J. Vaughan-Nichols reported, agency people described their needs for open source and urged suppliers to include open source in their offerings.
John Weathersby of the OSS-Institute, which is now affiliated with Georgia Tech in Atlanta, told me most of the day was devoted to small "breakout" sessions, where contractors answered hard, detailed questions put to them by key government customers. The affair wasn't just a series of sales pitches, he said. It was the first step in a negotiation.
Among the open source projects the NSA supports is Security Enhanced Linux (SE-Linux), for which it has developed an access control module called Flask, hosted at the University of Utah. Open source and security, in other words, do go together.
Open source can only provide tools. Procedures are also needed to assure that people maintain security. So the Cloud Security Alliance offers an integrated stack of such procedures, called the GRC Stack. GRC stands for Governance, Risk management and Compliance. This is maintained in an open process with the support of both contractors and software vendors.
Point is, open source and security do mix. They mix well. With more businesses moving toward cloud technology, much of it based on open source software, they are going to be doing a lot more mixing.
From the bottom of my heart, God Bless you Jim! And thank you so very much for all that you do and for giving us Free Republic! You are an inspiration to us all!
***************************
We love you, Jim.
I found FR around 1999. I lurked for a year or two and finally joined around 2000 or so. This site has been a saving grace to me. I think I got a blister on my index finger refreshing every two minutes during the 2000 election. I still visit a few others sites, but they never seem to be as up to the minute or have as many intelligent posters as we have here.
Jim, thank you for allowing me to see that there are others who have the same thoughts and frustrations as I do. It helps to keep the sanity.
TC
BUMP!
BUMP!
You betcha!
“Putting up with you” = crazy talk...LOL.
Outstanding! Buuump!
That left a mark. Getting to the thread late - due to my work schedule. Sure glad I didn't miss your post. "Poking Obama in the eye with a Ryan-shaped stick." Then add the Newsweek article provoking Obama with Ryan again. I have a few things to smile about today.
I am advertising your post.... too clever not to spread around.
While FR folks have done other great things (especially Kristinn DC group with the Walter Read weekly thing), and I've participated in some ... You, BobJ, JoyinDC, jolly, CAL, myself, and the many many volunteers will always have "The March For Justice".
Just wish I had the time to watch the festivities, especially with Neil assisting you in front of the opening ceremony with all the State flags. But duty called me everywhere on the grounds as you may recall. Unlike the liberal demonstrations of the time and now, we left the grounds immaculate.
Bless you old Patriot. I'm truly sorry I let Mojo get into my head with their anti-freeper nonsense. I just hope somewhere you saw me defending you and your family. Still, no excuse. One of my biggest regrets - hope some day you will forgive me.
Best to you and yours,
Rodger Hunter
USN: 1975-1986
Patriot Guard Rider;
Wounded Warrior supporter;
VetsCoR co-founder;
Stand Up For America; on the streets before FR activism. Remember our efforts to stop the Chi-coms (COSCO) from leasing the closed historic Long Beach Naval Station? We won that one.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.