Although open source software has gained a place in enterprise networks alongside proprietary software, it can't seem to shake doubts about security and intellectual-property issues that have long dogged the movement.
"The advantage of open source is that no single entity has authoritative control over a project," says Mark Driver, an analyst at Gartner. "There's no single choke point." One theory holds that because it's open source, software security problems can be discovered quickly, he says. "But one argument says open source is less secure and people can put bad things in it, and that's true, too," he adds.
Whatever the doubts, the open source movement, now counting in the tens of thousands of "communities" of volunteer software developers, is coding en masse to yield a bounty of operating systems and applications. Open source is not only here to stay, it's transforming traditional commercial software practices.
Open source software components are being worked into commercial software through tools such as Eclipse and NetBeans. The Linux operating system isn't only becoming a corporate favorite, as is evident at Wall Street firms today, but middleware applications such as Geronimo, JBoss, MySQL and Hibernate also are becoming commonplace in the enterprise.
Gartner estimates that by 2013, 80% or more of commercial software in production will have elements of open source.IBM, Red Hat and HP are involved supporting the software, that's usually seen as a plus.
The trend today is for IT managers in business and government to try and assess each open source software project by the company it keeps, critically viewing the maturity of each community in maintaining its code base by adding extensions or fixing bugs. If established vendors such as
The most ambitious open source adopters for business use still tend to be the "technology aggressive," Driver says, because they have an internal R&D team that can support it, or they will hire support from vendors.
So what remains the more pressing security and intellectual-property implications?
One main question is how security vulnerabilities are discovered and fixed. There is often a different methodology at work than can be found with closed source, proprietary software vendors.
Microsoft — once close-minded, wary and stubborn about accepting advice from any outsider about discovered security flaws in its products — has gradually opened up over the years to establish clear lines of contact with security experts to discretely share critical information about vulnerabilities they discover.
Microsoft's latest effort in this area, unveiled this month, draws security vendors even closer to the Redmond giant, promising a select group of them access to vulnerability data well in advance of Microsoft's monthly security advisories so their software remediation products can be ready at the moment of Microsoft's public notifications. Microsoft says it's doing this to thwart hackers exploiting vulnerability information to design zero-day attacks.
In contrast, the open source communities often fail to have clear lines of communication with outsiders who may be security experts, whom they tend to distrust. In any event, keeping secrets goes against the grain of the open source spirit for many.
"The open source software development model is so different," says Stormy Peters, executive director of the GNOME Foundation, which makes the open source desktop application for Linux distributed by many vendors, including Novell and Red Hat. "Expecting there to be security services or a contact for a particular project is not likely to happen in open source, but usually there is a mailing list."
That mailing list is usually open, as are any bug-tracking systems. "Whenever the problem is fixed, we issue a patch," says Peters about GNOME, saying that responsibility usually falls on whoever has "commit access," the right to check in changed code.
Open source is a "meritocracy," Peters says, and though a community feels most comfortable with its own, "there's definitely a way for outsiders to interact with the group, as long as you look credible."
Peters, who also works at consulting firm OpenLogic, which plays an intermediary role between companies and open source communities while technically vetting more than 400 applications, urges security experts wishing to contact open source communities to make the effort to find the "right person to talk to" to share concerns about possible vulnerabilities.
Sometimes businesses using open source internally provide a patch, though they may not want their name associated with it. But patch information is generally going to be sent out on a mailing list, Peters says, adding, "Everyone is going to know soon anyway."
Some security vendors have found it can be more difficult to get the message to open source communities than to closed source vendors.
Fortify Software is a security firm that recently worked with consultant Larry Suto to evaluate 11 Java-based open source applications for vulnerabilities, finding all had significant flaws that Fortify wanted to report to each open source community.
But according to Fortify, only Tomcat, which develops an application server, could be found to use the security "best practices" Fortify advocates, which includes a dedicated e-mail alias to report security vulnerabilities, easy access to security experts or a prominent Web link to security information.
The remainder of the open source projects Fortify sought to contact, Hipergate, OpenCMS, Resin, Jonas, Derby, Geronimo, Struts, Ofbiz, JBoss and Hibernate, fell short of supporting all three and some never responded at all to Fortify's inquiries.Fortify's report about its difficulty in contacting open source projects to report vulnerabilities generated controversy, some open source proponents think the Fortify study makes a valid point.
While
"We've put up an e-mail address to notify without broadly broadcasting," says Emma McGrattan, senior vice president of engineering at Ingres, about its own discrete process for security remediation in the Ingres open source database. "It's a very inexpensive thing to do."
Ingres, which earns its bread and butter through services and licensing its intellectual property, has two full-time security experts on staff and uses the Klocwork code-testing tool to identify security bugs in vetted Ingres code. "Once someone has that fix, it's incumbent upon them to submit it into the community," she notes, adding, "the community version is less stable."
Ingres customers do grapple with the intellectual-property aspects of code changes. "Issues around the legality of open source licensing have come up for us," McGrattan acknowledges. "Lawyers do get concerned about open source as they've seen it creep into the environment."
Danny Allen, director of security research at IBM Rational, who notes IBM has strong initiatives in open source, such as Apache, says businesses do mull the security and intellectual-property implications that spring up from open source.
"There's an awareness of risk, such as what if there's a vulnerability down the road," Allen says. There are worries about who is the security contact for the framework, or what's the possibility of the intentional inclusion of malicious code.
Corporate lawyers in particular are leery of open source projects because it may be difficult, if not impossible, to find the people who are accountable. "In open source projects, there isn't any specific accountability," Allen says, who adds that he's seen legal people try to ferret out the open source software during a merger, regarding it as higher risk than closed source software.
But each open source community will look and act a bit different, notes David Maxwell, open source strategist at Coverity, which makes Coverity Prevent, a static-analysis tool that measures software quality. Maxwell also is a software developer voluntarily working on the NetBSD open source project, in which a few hundred individuals have the right to "commits" of code changes.
More than two years ago, Coverity was awarded a contract from the Department of Homeland Security to methodically analyze open source software under the government's Open Source Hardening Project.
Under the contract, open source projects were invited to use the Coverity Scan site for free with the goal of evaluating software so any defects could be fixed.
The Coverity Scan site analyzed more than 55 million lines of code on a recurring basis over two years for more than 250 open source projects, including Firefox, Linux and PHP. The results were summarized in May in its "Open Source Report".
Of the 250 projects, about 120 have developers active in reducing reported defects in the code, according to the "Open Source Report." Use of the tool led to the reduction of more than 8,500 various defects in open source programs over two years. But by and large, open source software didn't stack up particularly well in terms of clean code.
The ones that did very well include Amanda; NTP; OpenPAM; OpenVPN; Overdose; Perl; PHP; Postfix; Python; Samba and TCL, which resolved all the defects found, Maxwell says.
"But the rest of the 120 had varying levels of responsiveness," Maxwell says about the process of fixing code. He acknowledges that his own NetBSD, which follows the practice of selecting security officers from its volunteers and encrypting communications, is still catching up with the bug findings.
Open source software development is a culture where people are accepted based on the group's perception of their abilities and dedication, creating a naturally formed tight-knit volunteer group, Maxwell points out. So there can be stiff resistance to the outsider suddenly appearing with bad news about software security.
Attackers are out there trying to exploit the openness in open source, say some.
Many open source projects make use of the Concurrent Versions System (CVS) as the repository for the project code. Even this predictability offers opportunities to attackers that might want to monitor for code changes and updates in order to prepare malware and attack code. "People do take advantage of that all the time," says Alfred Huger, vice president of Symantec Security Response. "They look at CVS and the logs that are changing."
As to whether he's found open source communities to be more leery of outsiders approaching with security intelligence, Huger says each community is different, but the more reticent and skeptical ones are those that were never approached before about a particular problem. Communities are more open to information "if they had a similar problem before," Huger concludes.