Security software developers today are building new door-locks in a world where everyone is a locksmith or burglar. Their task is made a lot harder by proprietary software, which allows only a handful of inventors can see the innards of the locks they're trying to improve. It stands to reason that a door-lock -- or security software -- that can be examined inside and out by many developers can be built much stronger than one produced...
in a closed, proprietary development setting.
Quality is an area where open source security software outshines proprietary products. There is usually little or no review of proprietary closed-source security tools. This means that the vendors can base a large part of their security on the basis that no one has access to their source code, so they can implement security by obscurity. Furthermore, as peer source-code review cannot happen, bugs are not usually discovered for a long time, if ever. However, the "black hat" community will devote significant resources to breaking the security of the systems, giving them a major advantage. There are several vulnerability detection companies, such as eEye Digital Security, that have made a very healthy profit through attacking closed-source code.
On the other hand, open-source developers know that their source code will be examined carefully by potential attackers, and they must, therefore, work much harder to protect against attacks. They cannot rely for one minute on "security by obscurity," as it simply doesn't exist in the open-source security world. Features must be carefully thought out, well-designed and well-implemented to avoid security holes. The system is designed and implemented on the assumption that it will be attacked by people who fully understand how all parts of the system work.
Today, many companies are becoming much more open to using open source security software because the lack of review leads to low standards of proprietary software. Many people working in corporate IT departments have told me about implementations of new proprietary software packages that did not go well, due ot quality issues, ending up going way over-budget and over-time.
Besides the quality issue, open source software is appealing because it is often freely licensed, saving a company the licensing cost. Even if the introduction of the software goes over-time, it at least is unlikely to go vastly over-budget.
Now, if a company's IT team and decision-makers understand these advantages of open source security software, they could still be discouraged by valid business concerns, such as:
- Will the product development continue?
- How can they purchase maintenance and support contracts?
- Will they actually be able to get help when they need it?
Concerning the first question, they might ask: What if an open source software package is only maintained by one person, and what happens if they decide not to continue development any longer? The answer is that virtually all open-source applications are known and understood by a team of people from around the world, so the disappearance of one person has no long-lasting effect on the development.
As for the second question, it's true that maintenance and support contracts are areas in which the open-source community has traditionally been somewhat lacking. However, the community knows this is a very valid concern, and so the business world has stepped in to fill the gap. Companies such as LinuxIT and, forgive the plug, Fortress Systems Ltd., were formed to provide commercial-grade support of open-source community software packages and systems. They are geared up to provide sevice level agreements and liaise with the development team as necessary when resolution of a customer's problem is beyond their knowledge of the product.
What's really different about using open source software is that the relationship between the developers and users is usually a close one. Users can directly contact the original developers, a position which is often difficult or impossible in closed-source systems. Even resellers of closed-source systems rarely have direct e-mail access to the original developers of the product, instead having to go via several layers of support staff at the original vendor's company. They are therefore limited in what help they can get. In the open-source world, the users and support companies can always directly contact the development team.
Open source security software users whom I know have been impressed by the speed and quality of support available from developers of open-source systems. This is not simply because the software is open-source, but is because of the development community model in which open-source products are normally developed. If you want to see an example of this, take a look at the MailScanner user testimonials guestbook, where users write their honest opinions of the value of the software itself and the quality and speed of support they get.
About the author: Julian Field is the developer of MailScanner and CTO of Fortress Systems (Washington, D.C.), a consulting and service provider for e-mailing and e-mail security systems.