recommended reading

Defense: Open source software is more secure than commercial code

Open source software, freely available program code that the public can download and modify, which many agencies avoid because they view it as a security risk, is often more secure than the alternatives that are commercially developed, a top Defense Department official said on Thursday.

Daniel Risacher, associate director of enterprise services and integration in Defense's Office of the Chief Information Officer, helped write a memo issued on Oct. 16 that directed all Defense agencies to evaluate open source programs on an equal basis with proprietary software and to share open source code internally when appropriate.

The department's position on open source, according to the original draft of the memo, is software that goes thorough a process of peer review tends to be more reliable and secure than software that has not had a similar level of review, according to Risacher.

"We were trying to get the message across that open source software is often more secure," but the statement was too sweeping to make the final draft, he said during a panel discussion at the Government Open Source Conference in Washington. "So what could I say? How could I make this into a true statement?"

In the end, the final memo emphasized the "positive aspects of open source software that should be considered" by Defense agencies, including a continuous and broad peer-review process enabled by publicly available source code, which "supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team."

The memo also noted, "the unrestricted ability to modify software source code" enables the department to respond more rapidly to changing situations and threats.

"If someone hired me to write a piece of code in a proprietary fashion, then a hacker would only have to be smarter than my team to find a weakness," said John Weathersby Jr., founder and executive director of the Open Source Software Institute. "Theoretically in an open source model, where anyone and everyone can review the code, then a malicious hacker must be smarter than all of us.

Still, open source doesn't remove all the risk of a security breach, he said. "I don't believe it is a black-and-white topic," Weathersby said. "Open source provides the opportunity for a program to be developed and maintained in a more secure manner, but it is dependent on the program, the people who implement it and how it's maintained."

Proprietary software companies, including Microsoft, have released their code for the public to review but under the disclaimer that developers who replicate the code to build their own products violate copyright laws.

"That doesn't create the incentive for people to actually come in" and review the code, because there's little potential gain, Risacher said.

So, people such as Daniel Walsh, principal software engineer for security at open source software vendor Red Hat, won't help review commercial software. He says he will not look at proprietary code from a competing vendor because he fears his company will be accused of copyright infringement if similar code appears in its products.

In open source, "The community fights over [code] because they have a vested interest in either one-upping each other or proving their code is better," said Steve Battista, lead information security scientist for Mitre Corp. "There's a group of people that mutually distrusts each other, and that's a good thing."

But for federal contractors trying to convince management that open source is a viable option, the challenge is to overcome the perception of liability. "If you're discussing a potential patch release" in the open source community, and the vulnerability "causes issues with a government customer, the company could wind up liable," said Dave Crenshaw, a conference attendee who works for a large defense contractor. "I push open source in my company all the time, but that's the challenge I always face."

Risacher calls such a scenario a red herring. "I can have [defense contractors] use this open source code that's proven, or I can pay them to redevelop it, which will introduce a whole bunch of vulnerabilities no one's discovered before," he said. "You're liable whether you write or download [code], or buy proprietary software. If you're a contractor, you're on the hook."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.