Posted on 08/18/2012 11:59:23 AM PDT by ShadowAce
One of the biggest lies told about open source is that it's insecure.
In letting just anyone use your code, that has to include the bad guys. They're bound to find a way to compromise it, the thinking goes.
But that's not the way it works in real life. Having every potential victim working on your neighborhood code watch turns out to deliver more security, not less.
Having everyone who might be the victim of an online break-in organized, finding bugs, writing and testing fixes, constantly improving security tools, works.
Don't believe me? Well, maybe you'll believe the National Security Agency or the Department of Homeland Security. The open source process works for them, too.
For a decade, one of the most popular intrusion prevention and detection systems has been Snort, created by Martin Roesch. But the company he built around that software, Sourcefire, only gives away the basic package. If you need extensions, if you want a more complete system, you have to pay. That code is controlled by Sourcefire.
There is nothing unusual in that. Many open-source businesses create free community and paid "enterprise" editions of their software. This is what Red Hat(RHT) is all about -- you can download Fedora Linux free or buy Red Hat Enterprise Linux. In both cases you get to see the code, but with the paid version you get the support needed to run it professionally.
But this model didn't work with Snort. The Department of Homeland Security, the military, and the NSA could not be "held hostage" to Sourcefire for improvements to the code, or for the specialized suite needed to protect the nation.
So the Department of Homeland Security got together with major contractors and formed their own open source project, the Open Information Security Foundation. OISF has its own intrusion system, called Suricata, whose syntax is based on Snort, so if you are accustomed to one you can use the other.
But Suricata will be a complete system, not just a "sniffer," as intrusion detection products are colloquially known. The whole Suricata suite will be open source. This process is now expanding, as I noted here at TheStreet.com on Monday.
In May, the National Security Agency co-hosted an Open Source Security Industry Day at a Johns Hopkins facility in Fort Meade, Md. As ZDNet's Steven J. Vaughan-Nichols reported, agency people described their needs for open source and urged suppliers to include open source in their offerings.
John Weathersby of the OSS-Institute, which is now affiliated with Georgia Tech in Atlanta, told me most of the day was devoted to small "breakout" sessions, where contractors answered hard, detailed questions put to them by key government customers. The affair wasn't just a series of sales pitches, he said. It was the first step in a negotiation.
Among the open source projects the NSA supports is Security Enhanced Linux (SE-Linux), for which it has developed an access control module called Flask, hosted at the University of Utah. Open source and security, in other words, do go together.
Open source can only provide tools. Procedures are also needed to assure that people maintain security. So the Cloud Security Alliance offers an integrated stack of such procedures, called the GRC Stack. GRC stands for Governance, Risk management and Compliance. This is maintained in an open process with the support of both contractors and software vendors.
Point is, open source and security do mix. They mix well. With more businesses moving toward cloud technology, much of it based on open source software, they are going to be doing a lot more mixing.
Thank you very much, vox_freedom!!
Thank you and your team for their very hard work and thanks
for keeping this site ad-free. Facebook ads annoy the heck
outta me!
Keep the faith! FReeRepublic will survive and become stronger!
Woo hoo!! Thank you very much, Ditter!!
Jim, I only wish I could give more. If I could invest in some securities and have the gains each month go straight to you, I’d do it in a heartbeat. I’m changing jobs and living arrangements in the next few weeks - when the dust settles, maybe I can ratchet things up.
That’s the down side of the Internet. It hurts. Personal privacy is lost.
God bless and keep you, dearest Marcella. You’re the very best.
Thank you very much, LUV W!!
Thank you very much, arderkrag! Good luck and God bless.
Monthly contributor here who is pissed that your annoyance at the Republicans is providing aid and comfort to our one true enemy: Obama. Sure, you live in California and can safely vote for whom you please. But, you are encouraging Freepers in Virgina, Florida, Ohio, etc. to do the same. If we do not defeat Obama, we will not live to fight another day. Let's get rid of the Communist in the White Hours, that's job 1.
I’m not encouraging voters to do anything other than vote their conscience and to vote straight conservative so we can impeach the corrupt usurping bastards.
And thank you very much for your support!
Thank you very much, dearest onyx!!
Looks like it’s time to double down. Will send another check. FR is worth it.
Cloud = Fog*
* = miasma
God bless and keep you and ALL of us here!
We are the sovereignty and the resistance!
God will help us save our Republic. We so pray!
“...if you are alive and take any action at all, information about you will be on the web.”
They know me as a FReeper and I’m cool with that. A monthly donor FReeper to boot!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
