Skip Links

Users at LinuxWorld talk up security

Regulatory burdens and intellectural property issues also get an airing.

By Phil Hochmuth, Network World
April 10, 2006 12:08 AM ET

Network World - BOSTON - In conference sessions and hallway discussions at LinuxWorld Expo last week, open source users swapped strategies for hardening Linux servers and building open source applications that can repel hackers, stand up to regulators and survive the scrutiny of intellectual- property lawyers.

One company betting the server farm on open source is AthenaHealth, a company in Watertown, Mass., that processes insurance claims and manages information for small medical practices and large hospitals. The company has built a large extranet application based on Linux servers running Oracle, Apache Web Server and a modified version of the open source SugarCRM application.

"Open source doesn't really increase our security risk; our risk is quite large for plenty of other reasons," said AthenaHealth CTO Bob Gatewood, whose company stores 15 million medical records, as well as Social Security and credit card numbers for the patient data it manages.

Gatewood delivered a keynote speech at the conference, which drew about 8,000 attendees and 150 exhibitors.

LinuxWorld 2006
Catch up on all the news from the show.

"It doesn't make a difference if your infrastructure is open source or not," Gatewood said. "The security issues with proprietary software are pretty well publicized, but I don't think in general there are any fewer security holes in open source stuff. . . . Keeping the network secure comes down to our testing process."

When developers want to use a new open source module, the software is deployed in a test network where its behavior is studied, and it is put though security and quality-assurance testing. This process is in place to handle any open source legal and technical risks.

"This triggers a process where we take a look at the license and give it to our lawyers, and our release engineers take a look at the code to determine if it's safe," he said.

About the intellectual-property aspects of open source, Gatewood said, "we have to look at what [open source] we're using. Our lawyers are very much interested in keeping track of what modules and licenses we use, whether it's [General Public License] or something else." Because AthenaHealth does not make major modifications to the open source software it uses, issues of violating open source licenses by tinkering with code are not much of a factor.

Predeployment technical testing of open source code is also an important process for Midwest Tool & Die in Fort Wayne, Ind. It uses Linux servers, Apache and SugarCRM to run its manufacturing and e-commerce systems.

"We test-bed everything," said Craig Swanson, vice president of systems for the manufacturer. "I can duplicate my network now very easily with virtual machines," in order to set up a full replica of the network for tests. "We have an open-door policy on installing anything you want in the test environment. But we're rigid on documentation, and we're rigid on testing and verifying what packages we can install on the final system."

The company uses Fedora servers, the free, open source version of Red Hat Linux, to run its production environment and Web presence. As a precaution, Swanson uses the open source Mondo Archive tool to take snapshots of its production server images, and keeps backup configurations that can be brought online quickly in case of failures or system problems.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News