Comments : Open Source Security Myths Dispelled

The decision to deploy proprietary, rather than open source security solutions (OSS), is often influenced by some commonly held perceptions.

Many IT professionals can’t seem to shake off the belief that OSS is inherently risky unreliable and complex. I am going to examine the most common of these perceptions to highlight how the facts are very often the exact opposite to what people believe.

Open source critics often doubt the stability of the platforms. The number and frequency of patches that OSS products need to stay secure is high and rapid.

However, the fast flowing evolution inherent to open source products means that potential vulnerabilities and design flaws are uncovered faster than in programs built on proprietary code, which typically have fewer developers – all of who are restricted in working to defined development objectives and timescales.

When commercial security vendors integrate OSS products into their solutions they ensure that all components are updated via automated processes so the fast pace of change is delivered to the end-user seamlessly and is not a burden on IT departments.

Businesses are also put off paying hard cash for an OSS solution, believing that as it can be downloaded for free, it’s pretty cheeky of the OSS vendors to charge. It’s true that OSS can be downloaded for free but businesses need to be aware of what the free product fail to include.

Intuitive GUIs, redundancy, failover, auditing, reporting, and other similar capabilities tend to be overlooked by open-source developers, who focus on technical challenges rather than business ones. Companies that commercialise OSS, add value with documentation, guides, interfaces and interoperability, providing users with the best of OSS and proprietary software worlds.

OSS projects are viewed as adding complexity into the IT infrastructure but they are no more complex than proprietary solutions. The standard shrink-wrap proprietary products don’t guarantee interoperability with competing products.

Additionally, to secure features not available in its products, propriety vendors will just point customers to equally expensive partner solutions. These layers add complexity to the IT infrastructure and present multiple points of failure.

A mixed-source solution, blending open source with the proprietary code of a commercial open-source vendor, gives organisations the flexibility to change security policies without fear of breaking contracts and voiding warrantees while avoiding interoperability issues.

Vendors are often criticised for taking from the OSS community but not giving anything back. Some even question the legality of charging money for products based on the work of others. This myth comes from a misunderstanding of open source licenses.

The most common open source licensing, the GPL, states vendors are free to distribute and sell OSS if they follow the rules of the license and add value. Vendors not only harness existing projects and code-bases in order to build solutions, but also add value by offering features, performance improvements and financial support.

Like Chinese whispers, myths surrounding OSS have become distorted over time. The open-source community has created remarkable tools, but as the community focuses more on creation than marketing, end-user awareness suffers.

Mixed-source security solutions give customers the best of both worlds – the low cost and reliability of open source and the technical support, training, and user-friendly interfaces of proprietary products. OSS security is no longer just a tool for the technology obsessive.