Defense: Open source software is more secure than commercial code

Open source software, freely available program code that the public can download and modify, which many agencies avoid because they view it as a security risk, is often more secure than the alternatives that are commercially developed, a top Defense Department official said on Thursday.

Daniel Risacher, associate director of enterprise services and integration in Defense's Office of the Chief Information Officer, helped write a memo issued on Oct. 16 that directed all Defense agencies to evaluate open source programs on an equal basis with proprietary software and to share open source code internally when appropriate.

The department's position on open source, according to the original draft of the memo, is software that goes thorough a process of peer review tends to be more reliable and secure than software that has not had a similar level of review, according to Risacher.

"We were trying to get the message across that open source software is often more secure," but the statement was too sweeping to make the final draft, he said during a panel discussion at the Government Open Source Conference in Washington. "So what could I say? How could I make this into a true statement?"

In the end, the final memo emphasized the "positive aspects of open source software that should be considered" by Defense agencies, including a continuous and broad peer-review process enabled by publicly available source code, which "supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team."

The memo also noted, "the unrestricted ability to modify software source code" enables the department to respond more rapidly to changing situations and threats.

"If someone hired me to write a piece of code in a proprietary fashion, then a hacker would only have to be smarter than my team to find a weakness," said John Weathersby Jr., founder and executive director of the Open Source Software Institute. "Theoretically in an open source model, where anyone and everyone can review the code, then a malicious hacker must be smarter than all of us.

Still, open source doesn't remove all the risk of a security breach, he said. "I don't believe it is a black-and-white topic," Weathersby said. "Open source provides the opportunity for a program to be developed and maintained in a more secure manner, but it is dependent on the program, the people who implement it and how it's maintained."

Proprietary software companies, including Microsoft, have released their code for the public to review but under the disclaimer that developers who replicate the code to build their own products violate copyright laws.

"That doesn't create the incentive for people to actually come in" and review the code, because there's little potential gain, Risacher said.

So, people such as Daniel Walsh, principal software engineer for security at open source software vendor Red Hat, won't help review commercial software. He says he will not look at proprietary code from a competing vendor because he fears his company will be accused of copyright infringement if similar code appears in its products.

In open source, "The community fights over [code] because they have a vested interest in either one-upping each other or proving their code is better," said Steve Battista, lead information security scientist for Mitre Corp. "There's a group of people that mutually distrusts each other, and that's a good thing."

But for federal contractors trying to convince management that open source is a viable option, the challenge is to overcome the perception of liability. "If you're discussing a potential patch release" in the open source community, and the vulnerability "causes issues with a government customer, the company could wind up liable," said Dave Crenshaw, a conference attendee who works for a large defense contractor. "I push open source in my company all the time, but that's the challenge I always face."

Risacher calls such a scenario a red herring. "I can have [defense contractors] use this open source code that's proven, or I can pay them to redevelop it, which will introduce a whole bunch of vulnerabilities no one's discovered before," he said. "You're liable whether you write or download [code], or buy proprietary software. If you're a contractor, you're on the hook."