“We are entering a ‘post proprietary’ era where it is basically impossible to build and deploy applications without some integration of open source software. This phenomenon extends to the enterprise desktop to enterprise data center applications to the cloud and of course to mobile/embedded,” he said.
Finance and human resources, while handling highly proprietary and sensitive information, are not immune to the benefits of deploying on and with open source, Weinberg said. “On premises, HR and Financial apps run on Linux and integrate a range of open source libraries and middleware,” he said.
Focusing on “networks”, that is (embedded) network equipment consists of at least 80 percent of code deployed in routers, access points, NAS and other network nodes is open source, he noted.
Santinelli added: “Just for fun, I took a look at survey responses from 2007 to find that some actually labeled open source as a "gimmick," and a majority believed that a startup software vendor could only be successful with a product/service that is not open source.”
The survey showed that 45 percent of respondents gave open source the first look with regard to evaluating security technologies for internal use.
Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, is also a proponent of open source. He cited the “many eyes” theory whereby the more people reviewing the code the less likely vulnerabilities will get through. With the extensive peer review process, he feels comfortable using open source products. The only downfall with open source products is the lack of support. A commercial vendor is obligated contractually to respond to issues to its product.
Michael Pittenger, vice president of product strategy at Black Duck, said the support model for open source is backwards. “It is up to you (as the user) to know if there is a new version of that software available,” he said, adding that you have to be engaged to know when vulnerabilities have been found.
“I don’t find companies shying away from open source” when it comes to departments like human resources, he said. “With this support model, nothing is getting pushed to [the user].”
“Utilizing open source solutions, whether it is for PII, financial records, or proprietary information should not be a concern for most institutions. The underlying encryption algorithms, communication protocols, and operating systems are often already open sourced,” said Rook’s Taylor.
He added, that this allows for researchers to examine the code directly for defects and vulnerabilities. It is more difficult to investigate precompiled binaries that are delivered by closed source products.
“If a vulnerability is identified in a closed source piece of software, the end user must wait for the company to produce and distribute the patch. An open source project will often be able to produce a patch more quickly due to all of the end users and developers of the project working towards a solution,” he said. “Ultimately, it is the company's responsibility to identify and utilize a sufficiently secure solution for their data. In a software as a service model, the liability may be deferred somewhat to the service provider, but damage to the company's reputation will still be inflicted.”
He does not think there are any company departments which should inherently not use open source software. There is typically higher overhead for the management of open source tools and sometimes a lack of support (some notable exception being Red Hat, Elasticsearch, etc.)
“Open source has solidified its position as the default base for software development. It is infiltrating almost every facet of the modern [network]. In the startup community we are seeing a continued wave of open source born companies – the next wave of Red Hat, Acquia and Ubuntu while at the same time seeing traditional IT leaders such as HP and Microsoft grafting open source DNA into their core,” said Santinelli. “In the coming years, we will see open source unlock the potential of a new generation of technologies – the Internet of Things, big data and cloud computing creating many billions in value.”
J.J. Thompson, founder and CEO at Rook Security, said open source tools are very useful for providing data enrichment to enhance the context of an attack to facilitate bucketing. Many commercial tools provide information about the IDS signature, or the origination IP, but do not glue it all together.
“Instead of trying to find a super-sized offering to do this, which none do effectively, it is often better for internal teams to glue the pieces together themselves with open sourced threat intelligence,” he said.
Additionally, scripting capture of information about the asset under attack can help security teams decide how to effectively respond based on the business criticality of the asset, he said.
The 2003 SANS report noted, which is still true today, enterprises should do an extensive risk and security analysis before choosing open source solutions over their closed source counterparts. The analysis should consider various factors such as the expertise available in-house and the support options available for the respective open source product. Well documented and implemented security policies and best practices help an enterprise to mitigate the risks and enjoy the real benefits of open source.