FOSS Security#

Security is complicated. This is why open development is a key factor and a precondition for creating secure solutions. Security is getting more important every day. Also due to the development of machine learning applications many data driven solutions are poisoned with privacy related data.

When development happens in the open, you can directly verify if a vendor is actively pursuing security and privacy and watch how it treats issues. The ability to study the process followed, the source code developed makes that anyone can perform an independent audit. Not only on code, but also on processes used!

So beside code, open development means that an open process is followed. A process where you can see and check whether mandatory baselines and principles are used.

Tip: Why reinvent the wheel or very expensive solutions that fail? Using FOSS software always has extra advantages over commercial software. Besides being less dependent on one vendor or supporting company you can more easily adjust the software to your specific needs.

To increase and improve security and protect our privacy open source solutions are more and more seen as a very good solution. Within more and more companies worldwide we notice a trend towards adopting open source solutions for security and privacy protection. Governments worldwide cannot depend and trust on closed source software for their security infrastructure anymore. Gartner predicts that by 2016 99% of Global 2000 enterprises will use open source in mission-critical software. So open source solutions for controlling security and privacy are slowly but steady becoming the new de facto standard.

As many security experts already known: Transparency and openness increase security protection levels. However there is still a lot of resistance against using open source for business use, especially when it comes down to security and privacy functionality. This chapter covers facts and demystifies fads regarding open source security and privacy products.

When discussing the use of open source products for security and privacy services two important question appear:

  1. Why should open source be used for security functionality?

  2. How can the quality of open source products for security and privacy be determined and judged?

FOSS quality is a very popular field for PhD students and analyst companies. However we think that technical experience of practical business use along with deep technical knowledge is required in order to give good advice for a company.

Tip

Smart and fast quality check for FOSS security software A good way to judge the quality of FOSS software building blocks regarding security is to use the OpenSSF Best Practices Badge criteria checklist.

Some core benefits for using FOSS software for security are:

  • Higher quality software

  • Ability to safely leverage open source tech

  • Designed to work in cloud, cloud-native tech

  • Better security

Tip

Tip to convince your peers Tip: Check the report The State of Enterprise Open Source for more benefits.

Warning

Warning: A good security product should never ever introduce extra vulnerabilities. However many low quality security products increase your cyber risk profile instead of lowering.