In my opinion, open source applications tend to be even more secure than their commercial equivalents, which is why we have used them so predominantly throughout Memset.
Our Miniserver VM technology is based on an OSS hypervisor called Xen, which manages the virtualisation of the machines. Most people buy it packaged from Citrix, but underneath it is open source software. The fact that we are using the open source and free version is partly why we're Britain's cheapest provider, because our customers are not subsiding Citrix or VMware license fees.
Our firewalls use open source Linux IPtables, which we automatically configure from our master database (open source MySQL, of course) with our own scripts. We also use the new open source Open Stack software for our cloud storage solution, Memstore™.
We also use an open source implementation of the vLAN'ing and briding software (for creating a virtual switch on the host servers), all using standardised, open interfaces and protocols.
By using Linux and open source software for our core infrastructure also means we are able to use commodity servers for everything from our firewall-routers to our virtual machine hosts. By doubling up on everything (which is made economically very feasible when using commodity hardware and not paying license fees) we are able to achieve huge levels of resilience for very little outlay.
Using open code has proved to be significantly more secure than other equivalents, as open source communities are generally able to find and fix security vulnerabilities much quicker than their corporate counterparts. The very weakness pointed out by software companies like Microsoft (ie. that the source code is visible) is in reality its greatest security strength.
Here’s why you don’t need to buy expensive security software:
Myth: Security is too expensive
Yes, security solutions are generally not cheap, but as demonstrated above, OSS is capable of providing adequate security without busting the budget, as they are generally less expensive or better yet - free! Just a few examples include: Snort, Smoothwall, FreeBSD, Ubuntu, Nessus, Nmap, SonicWall, Sendmail/Milter, SpamAssassin, Untangle, DansGuardian, etc.
Myth: Open-source is dangerous
Obviously, I am a firm believer in open source and have been using it for many years; however, there are some companies that actually ban open source software. One could argue that open source is more- secure than closed source software because more eyes are critiquing the code - you have an army of “white hat” hackers ensuring its integrity. Open source software can have vulnerabilities but my experience has been that they are addressed much quicker than closed source software, provided that you are using one of the packages that has a lot of support in the community (ie. is widely used).
Myth: You Need To Outsource Monitoring of Your Internal Network
Wrong! You most definitely need to monitor your internal network to detect weird behavior and unexpected requests. But you don’t need to pay for “heuristic” systems that profess to doing it for you. They don’t, they’re rubbish! Look at the claims by security vendors and ask yourself why they’ve been saying this for 10 years but yet networks are still being compromised. Your Network Admins should know your network. They should be allowed and supported with time and resources to monitor logs of the systems they manage.
Outsourced perimeter management providers don’t care. Their SLA’s claim that they do, but they don’t. You could save yourself significant investment by avoiding such services and going back to basics. Build secure systems, patch them and monitor the logs / traffic with internal, expert staff. It does not need to be complex.
Myth: You need to buy expensive boxes as they are more secure
Don't buy expensive boxes just because you think, or have been told, they will make you secure. Your security is rarely better from these products, partly for the same reasons open source is more secure; by using common hardware all the potential vulnerabilities will have been discovered by virtue of there being so many out there.
On the software side it applies too. I have seen so many instances where a customer has put their Windows –based servers online without taking the necessary steps to secure the product, ie. Firewall etc and the machines are compromised in minutes. Save your money to hire people with skills instead of getting magic boxes that do little or nothing.
I have come across so many common misconceptions about security software from my experience with working with people and companies in IT and IT security at all levels, including customers, colleagues and peers from companies of all sizes from global online retailers through startup businesses and across many industry sectors.
My tip moving forward would be address some of these common information security fallacies and ensure you have in place good basic security controls and practices before you fall foul of getting trap with expensive security software solutions.
