DISQUS

Bob · 8 months ago

Well, not so fast. While I agree with most of what Vass says, it's also the case that open source stuff becomes a target the more that it's used. Just look at what's happening with Firefox these days. Many of the point releases are because of security issues, and not simply to add functionality. An expert within the Intelligence Community told me, "most major public and private institutions do NOT use open source products (including the Intel. Community) and thus, they do not receive the security scrutiny that the commercial products get."

Joseph M. Mazzafro · 8 months ago

Bob, I believe your view on open software is far to binary. The seeming appeal of Open Software is that it is free ---- until you need to integrate it, support it , or train to it. But I'll just skip over the infra-structure advantages of commercial open source software like MS and Oracle sell in terms of configuration management critical to enterprise operations and go right to security. I get that openness leads to better security over time as the user community will find and fix defects (though if you want Linux patches immediately you might want to consider Oracle Unbreakable Linux), but what about the adversary who develops maleware from the open environment and keeps in the "war reserve mode (warm)" until it wants an effect? To summarize I am not are arguing agains open source SW as you define it, but suggesting there are places and uses where open source makes sense and others (far more in the IC) were commerically open SW is the better approach.
joemaz

Bob · 8 months ago

Bob- Thanks for the note. I've heard that argument quite a bit, but frequently it seems to be made by folks from proprietary companies. Anyway, I have to admit this factor is at play. The more that open source is used the more people will try to attack it. But I really believe that software that is designed to be more secure is more secure, and there are quite a bit of ways to prove that. I would, however, like to argue with the person that told you most major public and private institutions do not use open source products. The fact that the person said that proves to me he or she is not an expert. I think the majority of them use open source. Don't all organizations use BIND? How else would they be able to use networks if they don't use that? I probably shouldn't be holding that up as an exemplar of security, but it does what it is supposed to very well and now, thanks to the open source community, has great DNSSec features that all should turn on. And when it comes to OS's and traditional applications, I think Gartner said something like 85% use open source. I think your expert associate should do some more digging.

Bob · 8 months ago

Joemaz- Thanks for the input. I think I agree with most of that, and maybe I could have written that to sound less binary. I think in most cases enterprises want commercially supported open source. I think it is just human nature that IT program managers would like to be able to use any software before paying for services so being able to use open source software for free while starting up is attractive, but fielding something across the enterprise is best done with commercially supported open source.

John Weiler · 8 months ago

All points are valid. What is missing from the discussion is the process by which government maps requirements to available solutions whether COTS or Open Source. Neither source of innovation is leveraged effectively as we government has lost its ability to track, assess and acquire any innovative solutions due to the disastrous outsources of these functions to defense contractors who lack access to this market or the incentives to promote existing solutions over custom development.

This issue was barely touched in the just released Defense Science Board report on IT Acquisition http://www.acq.osd.mil/dsb/reports/2009-04-IT_A.... The good news is that the new IT-Acquisition Advisory Council (IT-AAC), headed up by former Army PEO EIS Kevin Carroll and former AF Secretary Mike Wynne. Preliminary findings are posted at www.ICHnet.org. Recommendations for process improvement can be sent to Kevin.Carroll@ICHnet.org.

ctovision · 8 months ago

Thanks much John, I appreciate the comments and links. I just jumped over to your ICHnet.org site and had a quick look around. I'll be spending more time on there shortly and would recommend others do the same.

Cheers,
Bob