Steve Smith, Managing Director of IT security consultancy Pentura, looks at the implications of using open source in business and argues that security is just one issue that organisations need to consider when contemplating an open source system.

The debate by IT security experts around using open source in a business environment, and the impact of this on IT security, is a mature one. Experts do not agree about open source security in terms of whether there is an advantage or disadvantage to its use in the business world.

By its very nature, open source applications expose the source code used to write programs to examination by everyone, both attackers and defenders. Experts argue that keeping the source code closed provides an additional layer of security through obscurity.

However, just because the source code cannot by seen, it does not mean an application is secure. Microsoft, as well as many other leading vendors, is well known for releasing regular patch updates to fix security vulnerabilities.

Although Microsoft has become very efficient and transparent with their security vulnerabilities, this still leaves a window of opportunity for anyone who has discovered a security flaw prior to a patch being issued to exploit the vulnerability. On the upside, you can usually rely on the patches being dependable and generally not causing systems to crash as they go through a process of quality testing before being released.

Alternatively open source applications can be updated via the community as developers release updates free-of-charge for the good of the open source users. However, there are no guarantees that the patch will be written and released at all, let alone the quality of the patch, as there is no overriding responsibility to provide a service level of any kind.

Open source in business?

The debate on whether to use open source in business goes beyond the issue of security. When large numbers of corporate users are involved, IT departments will look at IT support contracts and SLAs, licensing costs and systems management, as well as system and user security.

If a business chooses to run an open source system, IT system support is likely to be one of the biggest issues an organisation faces. Due to the lack of commercial responsibility and the un-managed nature of an open source system, established IT support offered by organisations such as Microsoft is rare and relying on a disparate team of developers who write open source code has obvious risks.

During an open source project’s lifetime, it usually forks off into a variety of different versions, depending on what developers require of the new application or operating system. Commercial organisations can often get involved in this, forking off a version of the open source application and placing some commercial backing to the project, typically involving a more structured development approach, a licensing model and structured support services.

This offers users the best of both worlds, where they can benefit from access to the open community of applications whilst still having someone to turn to if they have problems.

The important part to note here is that the commercial organisation is still extremely keen to ensure the success of the open source project from where their commercial solutions have originated; thus giving something back to the community that has helped them become successful and to ensure future open source ideas have a chance to nurture and grow. Novell’s Suse Linux, Sourcefire’s Snort and Oracle’s OpenOffice are great examples of how successful this partnership can be.

The cost factor

The cost of maintaining open source applications is another important factor to consider. An organisation with a 2,000 seat license for Microsoft Office faces significant licensing costs.

Oracle’s OpenOffice offers an alternative option, allowing an organisation to use the familiar format of Microsoft Office, whilst making cost savings on the standard Microsoft license costs. However, companies should be aware of the hidden increased costs in support and training if an existing Microsoft house is going to change to a new application.

The smaller company often has a ‘one-man-band’ IT support department, which is left to its own devices when it comes to managing and securing the business, and often working with a tight budget.

Through using open source solutions, the smaller IT department can get kudos from saving the organisation money, whilst at the same time building their own education. As well as the potential financial savings to a business in deploying the ‘free’ software, the bespoke style of deployment and management that open source solutions offer could potentially make the IT support professional indispensible.

The reality of open source security Open source has advantages and disadvantages. The most widely used argument for not using open source is the additional layer of security through obscurity a closed source application provides.

This argument is slightly misleading. An open source operating system contains many thousands of lines of code, and the complexity of reading and understanding the entire open source code and then spotting and exploiting vulnerabilities in the code is an arduous task that is difficult and often requires highly specialist knowledge.

On top of that, when speaking to many open source users, penetration testers and hackers, you could count on one hand the number that would even be interested in reading and understanding such large applications. They prefer to use the open source operating systems and the plethora of tools that have already been written to test closed source applications. It’s just that much easier.

Although the argument for security through obscurity is a powerful one, its significance is overplayed within the open source debate as a serious attempt to find a system vulnerability begins with the attacker writing a specific application to look for system vulnerabilities - a tactic that works equally well on open and closed source systems.

Open source in business can offer organisations a significant advantage and should not be overlooked because of concerns over security. Although this is an important issue to any organisation, data and system security can be equally or more secure with an open source system than the alternative.

Both open and closed source systems have advantages and disadvantages. Although security experts are unlikely to unanimously agree on the best route for an organisation to take, it is critical that organisations protect their most important asset, their data, regardless of which path they take.

Can open source be secure in business? Yes - but organisations should not rush into an open source system without considering all of the other issues that come as part of the package. Ultimately open source is a moving target, closed source is a stationary target - both are targets that need protecting.