[ISN] Is Open-Source Security Software Safe?

From: InfoSec News (isnat_private)
Date: Tue Dec 11 2001 - 21:55:21 PST

  • Next message: InfoSec News: "[ISN] Anti-India Hackers Turn Attacks on US Systems"

    http://www.businessweek.com/bwdaily/dnflash/dec2001/nf20011211_3015.htm
    
    DECEMBER 11, 2001 
    SECURITY NET 
    By Alex Salkever 
    
    Will the average bank care if the hacking underground can examine the
    basic source code of the security software protecting its networks?  
    That's what information-security company Guardent is about to find
    out.
    
    On Dec. 11, the Waltham (Mass.)-based company rolled out a hardware
    security appliance that relies solely on open-source programs to
    protect customers. Guardent will use these appliances, priced at
    $1,500 a pop, to monitor and guard corporate networks. That's a
    fraction of the cost of most integrated security appliances.
    
    One small step for Guardent, one giant leap for open-source security.  
    Corporations are loath to take a chance on a piece of security
    software they don't completely trust. But Guardent doesn't seem to be
    worried. Open-source proponents have long argued that their software
    is more secure due the exposure of the raw code to thousands of
    eyeballs, and the ability of anyone using the software to incorporate
    code changes to quickly patch vulnerabilities. What's more, Guardent
    will emphasize top-quality service first, good software second. "The
    thing that has the value is the service, rather than the software
    itself," says Guardent co-founder Daniel R. McCall.
    
    CHEAPER PACKAGE.  A quick look under the hood of Guardent's new box
    reveals no surprises. The device incorporates a handful of customized
    versions of well known open-source security software tools including
    the Snort intrusion-detection package, the Nessus vulnerability
    scanner, and the IPTables firewall program. Guardent will manage the
    devices using specialized software backed by a PostGres database,
    another open-source system.
    
    "By combining these things, you get something that transcends what
    straight firewalls and straight intrusion-detection system [IDS] can
    offer," says Guardent Chief Technology Officer Gerard Brady. "You can
    put the thing together at a cost where the hardware, the software, and
    the service for a year come in around the same cost of a traditional
    IDS system with just the hardware to run it."
    
    Guardent isn't alone. Other vendors are starting to incorporate
    open-source programs as part of their security solutions. Big systems
    integrator EDS markets a package of open-source security programs to
    credit unions from German company Astaro. Security company Silicon
    Defense offers commercial support contracts for Snort. Web-server
    specialist Covalent sells and supports a secure version of the popular
    open-source program Apache that wraps intrusion detection and
    antivirus capabilities in the same package. IBM, too, uses open-source
    security products in its consulting and technology-management
    contracts.
    
    UNLIMITED ACCESS.  Although no one tallies the number of corporations
    using open-source security software, something must be going on in the
    market. "It could be there are more people out there who use the
    open-source security and firewall tools, but it never gets reported
    because no one executed a purchase order for it," speculates Brian
    Behlendorf, the CTO of Collabnet, which has done a lot of work on
    open-source products.
    
    Open-source proponents argue that, by making the code visible to all,
    possible security holes will likely have been spotted. They also say
    the ability to make quick changes in the code is a boon, as is the
    fact that the user wields ultimate control. "With open-source
    software, we are assured that we will have access to the software for
    as long as we desire," says Grant Wagner, the technical director of
    the Secure Systems Research Office at the National Security Agency.
    
    Most important, removing the cost of software licenses makes a huge
    difference in the competitive field of managed security services,
    where Guardent hopes to make a big splash. Co-founder McCall thinks he
    can maintain profit margins in the 60% to 70% range with the
    open-source appliance. All of this might sound familiar to those who
    have watched Red Hat's struggle to create a workable model, one in
    which software is free and service revenues generate the profit. If
    that effort is any guide, driving open-source security software into
    the mainstream will doubtless prove a very difficult task.
    
    SEALS OF APPROVAL.  The open-source movement rarely puts a premium on
    nifty interfaces that can make it easier to manage and configure
    software. But that's precisely what network engineers need to give
    them easier tools for operating firewalls and IDS systems on large
    corporate networks. "The people who are really good at building
    open-source things are happy with a less sophisticated interface,"  
    explains Gary McGraw, CTO of Cigital and an expert in building secure
    software. "Part of being a good firewall is the quality of the code,
    but don't forget that someone has to manage the firewall."
    
    Open-source security products will struggle down the road unless they
    can obtain seals of approval such as the Federal Information
    Processing Standard audit, as administered by the National Institute
    of Standards & Technolgy. Those audits are mandatory before the
    federal government signs certain types of contracts. But open-source
    projects rarely can raise the cash to pay for and maintain these
    audits. That's not even considering how an audit could be conducted on
    a constantly changing body of code.
    
    Another potential problem: As open source pushes into more complex
    pieces of software, such as firewalls and IDS, frequent code-patching
    can spawn its own difficulties. "If there is a problem, somebody
    patches it. People like that about open source," explains Mary Ann
    Davidson, the chief security officer at Oracle, who adds: "But if you
    are a company with a large code base, these alterations ripple through
    all the products that depend on it. So patching every week
    destabilizes your code base."
    
    CRUNCH TIME.  Davidson is quick to point out that she's not opposed to
    open-source code in principle. In fact, Oracle considered using
    open-source libraries of cryptograhic algorithms a few months ago, but
    it rejected that approach in part due to a belief that product support
    would be superior from an established proprietary-code vendor.
    
    Now comes the moment of truth: How many companies are willing to put
    everything on the line with open-source software as their bulwark
    again malicious hackers and other intruders? While the algorithms
    themselves are very public, "I have never seen anyone using
    open-source cryptography software in really heavy duty,
    mission-critical applications," says Davidson.
    
    Guardent says it counts one of the 10 largest financial institutions
    in the country among the beta customers for its open-source appliance.  
    True, that unnamed outfit isn't using the device to protect
    bond-trading systems or anything else quite so sensitive. But if
    Guardent can show that management and service are more important than
    the code itself, that could mark a huge opportunity for open source to
    pile into a market where high software costs still hurt.
    
    
    Salkever covers computer security issues twice a month in his Security
    Net column, only on BusinessWeek Online Edited by Douglas Harbrecht
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Dec 12 2001 - 02:09:31 PST