Gone may be the days of "free" open-source products -- many of which have become foundational elements in widely used security products. Some groups are now charging for updates to effectively use their technology, others ask for handouts in the form of donations, technology and manpower. And why should those who develop and staff these projects be denied compensation for their efforts when commercial vendors make money using that same free technology?
"Completely cost-free open source projects will always exist. However, users of some of the more complex projects, especially those with commercial applications, should realize that development isn't a cost-free endeavor," said Richard Bejtlich, technical director for the Monitoring Operations Division of ManTech's Computer Forensics and Intrusion Analysis group.
Some believe parity could be provided by charging vendors for the use of open-source components in commercial products. Those taking advantage of the open-source vulnerability scanner Nessus got a surprise in December when its project managers announced they would no longer offer free, timely "plugin" programs that contain vulnerability and testing information to such product and service vendors.
The new tactic appears to be paying off. "Among other things, Tenable uses the revenue generated from the sale of direct plugins to purchase servers to test the latest vulnerabilities, as well as test Nessus's impact to popular network devices and applications," said Ron Gula, president and CTO at Tenable Network Security, which manages the Nessus project.
While Nessus is open source, it has a very small number of contributors; sources say that contributions made by Tenable employees and shareholders amount to 100% of the Nessus engine, and about 90% of its plugins. Nessus feeds will still be available in three forms: for a fee; for those who register, but with a seven day delay; and under copyright as part of the GNU Public License.
And developers of FreeBSD's open-source operating system aren't exactly hurting for cash. According to Poul-Henning Kamp, a FreeBSD kernel developer, the group's first ever fundraising drive raised more than $30,000 in just a few days to supplement a war chest of nearly $200,000. The drive was conducted solely to maintain the group's non-profit status that mandates that no more than 2% of its total donations could be contributed by a single donor.
The money isn't earmarked for anything specific, and Kamp believes it's an indicator of users' faith in the project. "When we tell our users 'The money you give us will be spent wisely to improve FreeBSD,' they trust us to do so," Kamp said. He attributes that trust to the group's longevity -- nearly a decade now -- and delivery of a professional, comprehensive operating system.
Numerous open-source tools and programs are being developed and tweaked over time. It remains to be seen how many will follow the paths blazed by Nessus and FreeBSD to support further development with hard cash or donated manpower.
"There may be thousands of security-related open source projects, but natural selection determines what's viable," said Gary Hein, service director for Burton Group's Application Platform Strategies division. "This has given us some of the most useful and popular security-related tools, including ipchains, iptables, Netfilter, OpenSSH, Ethereal and Snort, just to name a few."
Such projects have led to the inclusion of popular software tools in a number of commercial products.
"Organizations are getting more dependent on open source and are willing to have a pay relationship with vendors for support and updates," Hein said. "I can use tons of open-source software and it will always be free, but support and updates are either left up to the end users to spend time and effort, or are pre-packaged and delivered through a subscription service."
Nessus is said to be used in products from security vendors like StillSecure, VeriSign, IBM Global Services, Counterpane Internet Security, Symantec, AcuNett, ScannerX and rackAID, among others.
The popular IDS tool Snort is the basis for commercial products produced by Internet Security Systems, SnapGear, Lucid Security, StillSecure, Winsnort.com Intrusion Detection and PacketAlarm, to name a few. What if Snort follows the new Nessus model? Snort founder Marty Roesch didn't return calls for comment.
But Hein believes that the acquisition cost of open source software ultimately benefits IT. "There are several savings -- from hardware vendors that can leverage open source projects and technologies instead of developing in-house, to users who can train their staff one time, and their skills will transfer between multiple products as long as those products are based on open-source technologies."