Are open source network security tools really as secure as those available for sale?
Yes, say a growing number of enterprises implementing open source security tools. While some are understandably hesitant to employ solutions that are openly available to hackers and users alike, many organizations are finding that open source tools not only cost less than their commercial counterparts, they are at least as secure as commercial products, if not more so.
"Generally speaking, I think the reliance on open-source security tools in enterprise is increasing, but relatively slowly," reports Ed Moyle of consulting firm Security Curve. "We are seeing reduction in use within areas that have traditionally been dominated by open source, but that reduction is being made up for by some relatively rapid gains in other areas that have been traditionally dominated by commercial tools."
Should your company follow the crowd moving towards open source network security? That depends on which is more important to you: an agile solution that doesn't cost much or a comprehensive solution that comes with plenty of support.
The Benefits of Open Source Security
Obviously, the number one benefit of incorporating open source tools into your security plan is the cost—or rather the lack of cost. While no software implementation is ever truly free (you always have staff time involved), getting the code at no charge can be a huge attraction for budget-conscious IT departments.
Free software can be particularly attractive when the software is being deployed in order to cope with a changing regulatory environment. "Regulatory issues can arise rapidly and are often outside of the budget cycle," notes Moyle. "Open-source solutions can be rapidly deployed at the cost only of a time investment from technical staff —while the commercial counterpart might require a whole budget acquisition process, approval, contract negotiation, etc."
Open source tools also provide companies with greater agility and control over their own security. Small commercial security software vendors go in and out of business with alarming regularity. In some cases, companies have no way to know if the product they purchase today will still be available in a few years. Using open source tools allows you to customize your security solution to meet your needs today and to modify that solution in the blink of an eye when your needs change.
Finally, proponents of open source security tools often argue that allowing everyone to see the source code naturally results in a more secure product. Enterprises can view and test the code before they choose to implement it. And theoretically, because so many eyes are looking at the code, there are many more chances to find bugs.
On the other side of the argument are those who believe that open-source tools are not as secure as commercial tools with "secret" code. After all, the "bad guys" can access the code just like the "good guys." However, most experts seem to agree that open source software can be secure—if programmers actually take the time to evaluate it.
"Just because a program is open source does not guarantee security," concludes open source security writer Dan Wheeler. "People have to actually review the code."
The Drawbacks of Open Source Security
The biggest downside of open-source security tools is the lack of support. While many tools have very active user communities and/or the option of paying for support, many do not. The problem is particularly bad for newer tools that haven't yet built a large install base. This lack of accountability can turn away some potential users.
Moyle says that when they select software, many companies "want to make sure that there is someone to get support from and that there is someone to hold accountable in the event that there's an issue. In the open source world, these things can be hard to come by."
Secondly, as good as they are, many open source tools are not enterprise-ready without some significant adaptation. In most cases, companies end up cobbling together a number of different open source tools along with some code developed in-house in order to create a complete solution. Many also combine some open source code with some commercial products in order to achieve the results they want.
Next page: The List of Ten Open-Source Security Apps