recommended reading

Defense: Open source software is more secure than commercial code

Open source software, freely available program code that the public can download and modify, which many agencies avoid because they view it as a security risk, is often more secure than the alternatives that are commercially developed, a top Defense Department official said on Thursday.

Daniel Risacher, associate director of enterprise services and integration in Defense's Office of the Chief Information Officer, helped write a memo issued on Oct. 16 that directed all Defense agencies to evaluate open source programs on an equal basis with proprietary software and to share open source code internally when appropriate.

The department's position on open source, according to the original draft of the memo, is software that goes thorough a process of peer review tends to be more reliable and secure than software that has not had a similar level of review, according to Risacher.

"We were trying to get the message across that open source software is often more secure," but the statement was too sweeping to make the final draft, he said during a panel discussion at the Government Open Source Conference in Washington. "So what could I say? How could I make this into a true statement?"

In the end, the final memo emphasized the "positive aspects of open source software that should be considered" by Defense agencies, including a continuous and broad peer-review process enabled by publicly available source code, which "supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team."

The memo also noted, "the unrestricted ability to modify software source code" enables the department to respond more rapidly to changing situations and threats.

"If someone hired me to write a piece of code in a proprietary fashion, then a hacker would only have to be smarter than my team to find a weakness," said John Weathersby Jr., founder and executive director of the Open Source Software Institute. "Theoretically in an open source model, where anyone and everyone can review the code, then a malicious hacker must be smarter than all of us.

Still, open source doesn't remove all the risk of a security breach, he said. "I don't believe it is a black-and-white topic," Weathersby said. "Open source provides the opportunity for a program to be developed and maintained in a more secure manner, but it is dependent on the program, the people who implement it and how it's maintained."

Proprietary software companies, including Microsoft, have released their code for the public to review but under the disclaimer that developers who replicate the code to build their own products violate copyright laws.

"That doesn't create the incentive for people to actually come in" and review the code, because there's little potential gain, Risacher said.

So, people such as Daniel Walsh, principal software engineer for security at open source software vendor Red Hat, won't help review commercial software. He says he will not look at proprietary code from a competing vendor because he fears his company will be accused of copyright infringement if similar code appears in its products.

In open source, "The community fights over [code] because they have a vested interest in either one-upping each other or proving their code is better," said Steve Battista, lead information security scientist for Mitre Corp. "There's a group of people that mutually distrusts each other, and that's a good thing."

But for federal contractors trying to convince management that open source is a viable option, the challenge is to overcome the perception of liability. "If you're discussing a potential patch release" in the open source community, and the vulnerability "causes issues with a government customer, the company could wind up liable," said Dave Crenshaw, a conference attendee who works for a large defense contractor. "I push open source in my company all the time, but that's the challenge I always face."

Risacher calls such a scenario a red herring. "I can have [defense contractors] use this open source code that's proven, or I can pay them to redevelop it, which will introduce a whole bunch of vulnerabilities no one's discovered before," he said. "You're liable whether you write or download [code], or buy proprietary software. If you're a contractor, you're on the hook."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.