Tech & Work

Is open source an open invitation for trouble?

Open source solutions raise questions about security. This TechRepublic column examines whether companies should take a chance on open source solutions.


The question of whether a company should use open source software is applicable to both Windows operating systems and UNIX, despite the fact that there are currently a lot more open source software choices for UNIX than for Windows.

Rather than examine whether Windows or UNIX is better for specific tasks, it's more important to note that Linux and other free UNIX-based operating systems have matured to the point where they are viable alternatives to commercial UNIX systems. Linux is only one of a number of free UNIX operating systems, including FreeBSD, OpenBSD, and NetBSD.

There are also quite a few open source programs for the Windows platforms, which are often ported from their UNIX versions. Yet the question remains: Should a company use open source software or open source operating systems? What are the risks and advantages?

The plain truth is that most companies simply don't have the support resources to allow free or unsupported software to be used in their infrastructure. Many companies are also unfamiliar with the details of installing open source software. Unless you're an IT company, your organization probably isn't staffed with experienced C programmers and Windows NT and UNIX system administrators who have the expertise to compile and install open source software.

But that doesn't stop companies from using open source software—nor should it. IT managers are often quite surprised that many commercial UNIX systems rely heavily on vendor-modified open source software programs, most notably Berkeley Internet Name Domain (BIND) and Sendmail.

Want more on Internet security?
Subscribe now to our Internet Security Focus TechMail to receive news in your inbox.

If a company had the resources to compile and install certain open source software products themselves, it's possible that they would be able to respond to software problems faster. For instance, imagine if a software vendor was unaware of a critical Internet security problem or wasn't able to fix the problem if one surfaced. A company using this vendor's software could be left vulnerable for weeks or even months, a situation that has already occurred with many Internet software packages running on UNIX and Windows NT.

This leads me to the heart of the discussion about this security dilemma. Software bugs in any Internet software can lead to system exploits that are often widely publicized. Many times, commercial software vendors and system companies cannot supply updated software quickly enough to protect their customers from the exploit.

The other side of the equation is that the staff needed to support open source Internet software may be prohibitively expensive for many companies. Luckily, some vendors are beginning to provide commercial support for open source software, especially for Linux. While this certainly improves the issue of support, it doesn't answer the question of whether using open source software is more or less of a security risk.

One of the main advantages of precompiled or closed source commercial software is the fact that the software is usually directly installable, with the software vendor providing some type of support. However, depending on the support offered by the vendor, this in itself can be a risk. Although precompiled software forces companies to rely entirely on the software vendor to produce a reliable product, most IT managers usually prefer to have the option of calling a vendor for support—even if it takes longer. Despite the fact that commercial software vendors are in the business of producing software, sometimes they are not the experts.

The bottom line is that any software, regardless of operating system or closed or open source software, is going to contain bugs. But if you have access to the software's source code and a staff that can compile and install it, then you may be better off in some cases.

While open source software has been ahead of the curve on Internet security issues in some instances, there have been other times in which it has lagged behind commercial software products in usability and features. Whether or not using open source software is an Internet security risk for companies is still up for discussion—but at least the discussion has begun.

Is open source an invitation to security trouble?
Not so long ago, Linux was considered immune to the viruses that plagued Windows. Now, viruses exist that can attack both operating systems. How secure are open source solutions? Share your opinion by posting below.

 

Editor's Picks