Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Redefining free security software

Popular open source security products such as Nessus, Snort and Clam AV are being commercialized, redefining the notion of free software.

Remember when Nessus updates and plug-ins were free? It wasn't that long ago. And when the latest Snort signatures were a few gratis clicks away too? Those were the days when the best open source security software was free, as in free beer.

Well, Nessus had to grow up; Snort too. They've been commercialized by those that built them, and that was inevitable. After all, this is a capitalistic society, and eventually the socialism that is the free software movement just doesn't pay the bills.

Today, the core Nessus engine is free, and you can still get Snort at no cost, but the free beer analogy has gone a little flat. Timely updates will cost you an expensive license agreement, and the words copyright, patent and acquisition have infiltrated the lexicon of "the community." Smart guys like Renaud Deraison at Tenable and Marty Roesch at Sourcefire have mastered teetering the fragile boundary between upsetting the bottom line and satisfying their open source following.

ClamAV was the latest open source project to see dollar signs and cross over to commercialization. Ironically, it was Sourcefire, the proprietary home of the Snort IDS, that scooped up the Clam project, its five team members, SourceForge project page, Web domain, etc. The move is a great one for the newly public Sourcefire, which has been touting its new Enterprise Threat Management platform and figures to integrate ClamAV there.

Like with Snort, Sourcefire founder Roesch and CEO Wayne Jackson are saying all the right things about maintaining open source Clam. However, the other shoe will inevitably drop here, as it did with Snort and its VRT Certified Rules license subscription service. Since 2005, up-to-the-minute Snort rules have been available only to subscribers; others could register to get their rules after a delay. Those who choose not to register must wait for major releases to get their new rules.

The other potential hitch is for enterprise UTM users whose vendors have built their products on top of open source offerings like Clam. Astaro and Barracuda are two such cases, and Information Security spoke to their CEOs about the situation. Neither Jan Hichert nor Dean Drako seemed particularly stressed about the trickle-down for their customers. Most UTM vendors offer multiple AV scanning engines, and ripping and replacing Clam should a license become onerous wouldn't be a big deal, both CEOs said.

The bigger question is around the commercialization of open source and the end of open source poaching. HD Moore made a loud statement this year with the introduction of the Metasploit Frame-work License upon the release of Metasploit 3, which limits the use of exploit modules and interfaces. "Proprietary businesses were using his code in commercial products, but not maintaining his copyright, instead using his community as free R&D," says Nick Selby, an analyst with The 451 Group. "That's not cool. He changed from the GPLv2 and Perl Artistic licenses to a home-baked license that says that neither Metasploit nor derivative works may be sold."

It's a faulty argument that these products are borne mostly on the sweat of the community. True, there are contributions from the outside, but it's a fair guess that Sourcefire engineers are the keepers and enhancers of a majority of the free Snort code--same goes for Clam and its team, and Moore's minions. There's more give than take, and those doing the taking are the wrong ones profiting--for now.

Article 15 of 15

Dig Deeper on Open source security tools and software

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All