Open source security concerns can trump cost savings

By Neil Roiter, Senior Technology Editor, Information Security magazine 29 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Companies believe open source software reduces costs and delivers comparable functionality to commercial products, but they are not rushing to adopt it to offset tight IT budgets.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The number one concern is security, according to a survey by security company Palamida Ltd. Although most of the companies surveyed are facing budget cuts and cite cost as the primary open source benefit, more than half say they either absolutely will not or are unlikely to adopt open source in 2009.

Only 12% of the respondents said they would definitely use open source, while another 33% would consider it.

The cost factor cannot be understated. A recent Forrester Research Inc. survey corroborates this point, as more than half the respondents cited it as the primary reason for using open source. And their expectations bore fruit: 87% said they achieved the anticipated cost savings.

Open source security: TrueCrypt an open source laptop encryption choice for SMBs: TrueCrypt eases security and privacy concerns. The open source security software encrypts a dedicated space on your hard drive, a partition or the whole disk, as well as removable drives. Open source projects fall short on security: A study shows many flaws in popular projects and the failure of open source developers to make security a priority.  Federal aid helps uncover open source flaws: A joint project with security vendor Coverity Inc. uncovered flaws in 11 open source projects, including Perl, PHP, Python, Samba and TCL.

And, quality doesn't seem to be an issue. A majority of those surveyed by Palamida believe open source is as good or almost as good as commercial software, and 92% told Forrester that open source met or exceeded their quality expectations.

Still, security appears to be a sticking point, though not the only one. Half the Palamida respondents cited security concerns, but are also hesitant because of support costs and risks around intellectual property.

Palamida's products assess open source software in an organization, finding unpatched programs and OSes a sticky issue, since companies are often unaware of where and how open-source projects may be used in their applications. They also address intellectual property and legal risks arising from potential licensing questions.

Palamida surveyed 177 high-level executives in senior IT, engineering and security positions.

"It was surprising to us that the perception of senior managers around security are headlined-oriented," said Theresa Bui-Friday, Palamida's vice president of product marketing. "Their conclusions are anecdotal, such as the recent Google Android OS vulnerabilities.

SearchSecurity radio:

"If you dig deeper you find that the issue was Google was using an outdated version of WebKit (the open source engine on which the Android browser is based). Open source projects, by and large, are very responsive."

By contrast, a study by Fortify Software Inc. last summer showed that 11 popular open source projects had many vulnerabilities and exhibited lax security practices.

In addition to the survey, Palamida issued a list of 25 open source projects companies should be using to save money, including development tools such as NetBeans; database and mapping projects such as Apache Derby and MySQL; core utility classes such as zlib; reporting and chart tools, such as JFreeChart, and Web 2.0 projects, including the Prototype JavaScript framework. Palamida also estimates the cost in dollars and person-years to develop similar capabilities completely in-house.

The projects are included in a white paper in which Palamida makes the case for employing open source projects to reduce development costs in a tough economic climate.

Tags: Open Source Security Tools and Applications,  Security Industry Market Trends, Predictions and Forecasts,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Open Source Security Tools and Applications H.D. Moore on future of Metasploit attack platform H.D. Moore speaks about Metasploit Project deal, Release 3.3 Screencast: How to launch an OpenVAS scan Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 SSH key compromise shuts down Apache website Screencast: Smoothwall offers firewall defense in lean times Screencast: Samurai offers pen-testing nirvana Rootkit Hunter demo: Detect and remove Linux rootkits When to use open source security tools over commercial products Security Industry Market Trends, Predictions and Forecasts Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Part 5: Marcus Ranum on the state of information security Layoffs prompt insider threat fears, cybersecurity survey finds Healthcare security spending remains sluggish, report shows How to use Internet security threat reports M86 buys Web security gateway vendor Finjan Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Blowfish  (SearchSecurity.com) Kermit  (SearchSecurity.com) Open Source Hardening Project  (SearchSecurity.com) SnortSnarf  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary