Last week I wrote a post taking to task Steve Chang, the chairman of security company Trend Micro. Chang made a statement to the effect open source was inherently less secure than non-open sourcesoftware because the source code was open and available to hackers. Specifically he was comparing Android to Apple's iOS. Of course I think this way of thinking is nonsense and I am not alone in thinking that. What made the statement even more outrageous was that Chang made these remarks at the same time he was announcing his companies security suite for Android. So either Chang really believes what he was saying or he was just saying it to sell more copies of his companies software. Either way Chang and Trend Micro lose a lot of creditability in the open source community.
What made Chang's statements even more incredulous is that Trend Micro actually owns an open source security project called OSSEC. OSSEC is an open source host based intrusion detection system (HIDS). It has been around for years and is generally well respected in the both the security and open source communities. A few years back the developers of OSSEC sold their IP and interests in it to a commercial HIDS vendor named Third Brigade. Third Brigade had high hopes of continuing development and even accelerating development on the project through their corporate support and sponsorship. Before those plans got too far off the ground though Third Brigade itself was acquired by Trend Micro.
So you see the conundrum. If the chairman of Trend Micro truly thinks that open source is not secure, why do they own an open source security project? What does it say about its sponsorship and support of this project? To say something doesn't add up, is an understatement.
In my previous article I said because the front page of OSSEC shows the last news update was in October, Trend must be neglecting it. While Trend may be neglecting it though doesn't mean the project itself is not alive and well. As so many of my fellow security bloggers and tweeters reminded me, OSSEC has a vibrant community that is supporting it. They have released several versions since the Trend take over. While Trend itself may be ambivalent at best towards its red-headed open source step child, OSSEC is is alive and well.
So if I gave the impression that OSSEC was wasting away, I am sorry and wrong. Let me be very clear. OSSEC is thriving in spite of Trend. There is little to no evidence of Trends support here beyond what they were obligated to do via contract. See the comments from my previous article for more details.
My words do not excuse Trend's missteps or mistakes though. Their attitude towards open source besides being mistaken, I frankly find infuriating. If they really think that they should cut OSSEC free so it can be led by its community and they can reap any benefits that may flow from it. It would by hypocritical for Trend to benefit from open source if that is how they feel there.
By the way I gave the opportunity to several OSSEC members to speak with me to give me more details from their point of view on this. So far they have declined to do so. Actually one said he would if I would donate the money I make from that post to a FOSS project. Upon hearing how much that would amount to, I have not heard from him since.
I wanted to set the record straight and remove the foot from my mouth. I am a huge Steelers fan and looking forward to the big game Sunday. But I am not going to make any foot jokes about football coaches or anything ;-) Here We Go Steelers!