Google Site Search


Friday, September 12, 2008

Securing Open Source

The dust has not yet settled on the recent discussion in the media on the security worthiness of Open Source Software. In continuation of my assertion that Open Source software can be as secure as one intends to be, I will be making a presentation titled "Securing Open Source" at the DHS Software Assurance Forum at NIST in October. The DHS National Cyber Security Division is the main sponsor of this forum.

What will my presentation talk about? Well, once it is ready I will post it here. In the meantime, I would like to talk about the secure practices we undertake in JBoss development as well as lessons learned during the ongoing Common Criteria Evaluation of JBoss EAP 4.3.

This month, I am moderating a panel as well as chairing sessions at the Oasis Security Forum in London. Stop by if you live in and around London. :)

So what really goes into securing open source? It is mainly the processes followed in the development and maintenance phases of the software. Many a times, open source software is written by enthusiasts and philanthropic developers for whom getting the latest innovation out is of primary importance. In these cases, there certainly is a lack of significance associated to security and maintenance. But these cases do not become the general trend for open source. For Open source projects/products such as Apache Httpd, tomcat, Linux (Red Hat) and JBoss, you have a company(ies) standing behind the success of the project. In these cases, security is dealt with as and when needed. Every security vulnerability is fixed as soon as possible.

Read more here.


Gregg said...

When open source software first got rolling in the early eighties, the big complaint was that it lacked enterprise support whatever that meant. Now that support is available in most cases, the critics have moved on to security lumping all open source projects together in a single basket. I am glad to see someone addressing the issue.

Anil Saldanha said...

Thanks Gregg for the comment. Isn't it interesting to note that about 50% of the web server market is held by Apache HTTPD? Now that is open source at the pinnacle.