[ISN] Open source courses through DOD

From: InfoSec News (isnat_private)
Date: Sun Nov 03 2002 - 22:29:24 PST

  • Next message: InfoSec News: "[ISN] A New Cryptography Uses The Quirks of Photon Streams"

    By Dan Caterinicchia 
    Nov. 1, 2002
    What would happen if open source software were banned in the Defense
    A recent study conducted by Mitre Corp. for DOD posed that
    hypothetical question and found this answer: The department's
    cybersecurity capabilities would be crippled and other areas would be
    severely impacted.
    Mitre Corp. was asked to develop a listing of open-source software
    applications at DOD and to collect representative examples of how
    those applications are being used. Over a two-week period, an e-mailed
    survey identified 115 applications and 251 examples of use, and
    Mitre's report acknowledged that actual use could be "tens of
    thousands of times larger than the number of examples identified."
    To help analyze the data, the hypothetical question was posed: What
    would happen if open-source software were banned at DOD?
    Version 1.2 of the report, "Use of Free and Open Source Software
    (FOSS) in the U.S. Department of Defense," was released Sept. 20 to
    the Defense Information Systems Agency (DISA), and found that
    open-source software applications are most important in infrastructure
    support, software development, security and research.
    "The main conclusion of the analysis was that FOSS software plays a
    more critical role in the DOD than has generally been recognized,"  
    according to the report.
    In open-source software, such as Linux, the source code is publicly
    available and gives users the right to use, copy, distribute and
    change it without having to ask for permission from any external group
    or person.
    After receiving a working draft of the report in May, DISA solicited
    insights from DOD and the private sector, said Rob Walker, DISA's
    Net-Centric Enterprise Services program manager, in a presentation at
    an open-source conference in Washington, D.C., this week.
    The examination raised three concerns about the use of open-source
    * Exposing system vulnerabilities.
    * Introducing Trojan software, which is hostile software covertly
      placed in ordinary applications.
    * Developing new software that incorporates "general public license"
      (GPL) source code. This means the entire new product must be given a
      GPL, which would impact DOD software development and research areas.
    Walker's presentation dismissed the first two concerns, finding that
    the pre-emptive identification of security holes by friendly analysts
    outweighs the danger of hostile attacks, and that the introduction of
    Trojan software in open-source environments is no greater than in
    proprietary ones.
    DOD officials' main open-source concern involves the licensing, but
    "with reasonable care, GPL software can be used without disrupting
    other licenses," Walker said. He added that the introduction of
    unusually restrictive licenses, like some used by Microsoft Corp.,
    "presents a more significant issue."
    Mitre's report recommended three policy-level actions to help promote
    optimum use of open-source within DOD:
    1. Create a "generally recognized as safe" open-source software list
       to provide official recognition of applications that are
       commercially supported, widely used, and have proven track records
       of security and reliability.
    2. Develop generic policies to promote broader and more effective use
       of open-source, and encourage the use of commercial products that
       work well with the software. A second layer of customized policies
       then should be created to deal with the four major use areas --
       infrastructure, development, security and research.
    3. Encourage the use of open-source to promote diversity in systems
       architecture, which would reduce the cost and security risks of
       being fully dependent on a single software product.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Nov 04 2002 - 01:01:58 PST