Archive for the ‘Open Source’ Category

Incomplete Thought: Why We Need Open Source Security Solutions More Than Ever…

July 17th, 2010 1 comment
Illustrates a rightward shift in the demand curve.
Image via Wikipedia

I don’t have time to write a big blog post and quite frankly, I don’t need to. Not on this topic.

I do, however, feel that it’s important to bring back into consciousness how very important open source security solutions are to us — at least those of us who actually expect to make an impact in our organizations and work toward making a dent in our security problem pile.

Why do open source solutions matter so much in our approach to dealing with securing the things that matter most to us?

It comes down to things we already know but are often paralyzed to do anything about:

  1. The threat curve and innovation of attacker outpaces that of the defender by orders of magnitudes (duh)
  2. Disruptive technology and innovation dramatically impacts the operational, threat and risk modeling we have to deal with (duh duh)
  3. The security industry is not in the business of solving security problems that don’t have a profit motive/margin attached to it (ugh)

We can’t do much about #1 and #2 except be early adopters, by agile/dynamic and plan for change. I’ve written about this many times and built and entire series of talks presentations (Security and Disruptive Innovation) that Rich Mogull and I have taken to updating over the last few years.

We can do something about #3 and we can do it by continuing to invest in the development, deployment, support, and perhaps even the eventual commercialization of open source security solutions.

To be clear, it’s not that commercialization is required for success, but often it just indicates it’s become mainstream and valued and money *can* be made.)

When you look at the motivation most open source project creators bring a solution to market, it’s because the solution generally is not commercially available, it solves an immediate need and it’s contributed to by a community. These are all fantastic reasons to use, support, extend and contribute back to the open source movement — even if you don’t code, you can help by improving the roadmaps of these projects by making suggestions and promoting their use.

Open source security solutions deliver and they deliver quickly because the roadmaps and feature integration occur in an agile, meritocratic and vetted manner than often times lacks polish but delivers immediate value — especially given their cost.

We’re stuck in a loop (or a Hamster Sine Wave of Pain) because the problems we really need to solve are not developed by the companies that are in the best position to develop them in a timely manner. Why? Because when these emerging solutions are evaluated, they live or die by one thing: TAM (total addressable market.)

If there’s no big $$$ attached and someone can’t make the case within an organization that this is a strategic (read: revenue generating) big bet, the big companies wait for a small innovative startup to develop technology (or an open source tool,) see if it lives long enough for the market demand to drive revenues and then buy them…or sometimes develop a competitive solution.

Classical crossing the chasm/Moore stuff.

The problem here is that this cycle is broken horribly and we see perfectly awesome solutions die on the vine. Sometimes they come back to life years later cyclically when the pain gets big enough (and there’s money to be made) or the “market” of products and companies consolidate, commoditize and ultimately becomes a feature.

I’ve got hundreds of examples I can give of this phenomenon — and I bet you do, too.

That’s not to say we don’t have open-source-derived success stories (Snort, Metasploit, ClamAV, Nessus, OSSec, etc.) but we just don’t have enough of them. Further, there are disruptions such as virtualization and cloud computing that fundamentally change the game that we can harness in conjunction with open source solutions that can accelerate the delivery and velocity of solutions because of how impacting the platform shift can be.

I’ve also got dozens of awesome ideas that could/would fundamentally solve many attendant issues we have in security — but the timing, economics, culture, politics and readiness/appetite for adoption aren’t there commercially…but they can be via open source.

I’m going to start a series which identifies and highlights solutions that are either available as kernel-nugget technology or past-life approaches that I think can and should be taken on as open source projects that could fundamentally help our cause as a community.

Maybe someone can code/create open source solutions out of them that can help us all.  We should encourage this behavior.

We need it more than ever now.


Enhanced by Zemanta

IDC Study Suggests Security Drives Open Source Technology Deployment In Asia/Pacific

October 4th, 2007 11 comments

I’m still not sure I’ve fully digested the conclusion that this IDC study suggests and I’m not in a position to currently spend $4500 on the full report to do so.  However, I found the article which summarizes the catalysts of Open Source adoption in APAC countries to be very interesting:

The top most influential factor for deploying open source
technology in Australia, Korea, India and the People’s Republic of
China is better protection against security breaches, according to a
survey by IDC. "The results indicate that organizations perceived open
source technology as providing better security compared to proprietary
products," said Prianka Srinivasan, a software market analyst with IDC

Huh.  Really?  Security is the top reason?  That’s intriguing but makes my right eyebrow curl.

survey results also suggest that organizations in India and the
People’s Republic of China (PRC) deployed open source technology more
than their counterparts in Australia and Korea. Furthermore, as
expected, a larger number of small and medium size businesses (SMBs) in
all four countries were deploying open source technology compared to
large businesses.

The IDC survey measured key factors contributing to the deployment
of open source technology. Top factors cited by respondents include:

  • Provides better protection against security
  • Budget constraints
  • Sufficient support from vendors
  • Availability of required functionalities
  • Better management tools and utilities
  • Recommended by fellow industry peers
  • Preference of open standard adoption compared to proprietary products

"Though cost-efficiency remains a key decision factor, the results
also suggest that organizations look forward to leverage open source
technology to primarily fulfill their requirements for specific
functionalities instead of widespread deployment," said Srinivasan.

When segmenting the data by company size, it emerged that SMBs in
all four countries deployed open source technology primarily to ensure
protection from security threats, which is similar to large
organizations in Australia, India and the PRC. Large organizations from
Korea, however, cited better management tools and utilities as the
leading factor.

I get all that and it sounds reasonable if not somewhat out of order.

The part I’m grappling with is that while security is represented here as the number one reason for adoption, I have this funny feeling that in some of these "developing" nations (from an IT perspective) that the word FREE really is the prime motivator and security, management, features, etc. are gravy.  I can’t really argue with the study since I didn’t conduct it, but it just doesn’t jive for me.

I‘m going to (gasp!) step into the role of agent provocateur here and suggest that I’m not convinced that Open Source security software yields a more secure business, especially in the SMB realm.  SMB’s don’t have security experts, so how is it that these folks who can barely install toner cartridges can perform source code analysis? 

I think that perhaps the thought of having many people’s eyeballs on the source code may deliver an advantage as an extended QA function from a security perspective at which point people "feel" more secure but it’s the monkeys configuring and deploying said software one needs to be worried about.

Let’s be real.  Given a choice to download pre-compiled binaries, ISO’s or virtual appliances versus source code that requires library linking and compiling, which route is an SMB going to take?  Right.

The last paragraph from IDC’s tickler really cements my thinking on this matter:

"IDC believes that open source technology and software will appear
in the higher end of the application stack in the coming years.
Commercial vendors of open source software will need to provide
extensive support and training services, as well as address the issues
of interoperability, in order to take advantage of the addressable
market for open source technology in the region," added Srinivasan.

Um, yep.  I’m willing to bet that Open Source will continue to be deployed in these developing countries with SMB’s as a way to offset operational expenditures — at least at first.  Then the issue of long term vendor support will rare its ugly head.   Sometimes the security of "free" is outweighed by the insecurity of "unsupported."

Using the security market as an example, we’ve obviously seen the success of companies like Sourcefire, Tenable and StillSecure with their Open Source and Open Source derivative licensing and support mechanisms.  I guess I’d really need to understand how IDC is defining Open Source in their study because I feel it may have made a difference as to how I reacted.

As we move along, I reckon we’ll see a burgeoning market for companies whose offerings focus on providing general sets open source software support.  They are around today, but the number and type of applications usually prove to be quite small.

From the opposite angle, I think we’ll also see the proliferation of hosted applications in the SaaS realm which are based on OSS and may have tiered levels of usage and support…sort of like GoogleApps but with Open Source.  If it’s hosted, you’ve got a single neck to choke.

What do you think?  If you were in an SMB’s shoes, would you rank security as the number one reason you’d adopt Open Source? 



Read more…

Categories: Open Source Tags: