Has security become a non-issue for enterprise Open Source?

---

But while Open Source could be a viable alternative to most proprietary software and applications, the effectiveness of Open Source antivirus and anti-spam programs is ‘a completely different story’, Golovanov said.

“There’s no way these [Open Source antivirus programs] can be effective today,” he said, noting the difference between Open Source programs that allow public access to source code, and free antivirus programs that are offered at no charge.

“The thing is that today antivirus is more a service than a complete product –- any antivirus [program] is almost useless without proper and regular updates. As an example, we provide updates approximately every 30 to 40 minutes, and we have to keep our antivirus labs working 24/7/365.

“And due to the fact that Open Source antivirus [programs] are created and supported by enthusiasts when they have free time, there’s no way an Open Source antivirus [program] can have regular and reliable support,” he said.

Max McLaren, who is the General Manager of Red Hat Australia, sings a different tune.

He highlighted SELinux, which was developed in collaboration with U.S. National Security Agency in 2004, and is distributed with commercial support as part of Red Hat Enterprise Linux version 4 and all future releases.

While it does not perform antivirus tasks per se, SELinux -- or Security-Enhanced Linux -- enforces mandatory access control policies that reduce the ability of user programs and system servers to cause harm when compromised.

SELinux also is aligned with the U.S. Department of Defense’s Trusted Computer System Evaluation Criteria and involves role-based access control (RBAC), mandatory integrity controls and type enforcement architecture.

“We’ve had a number of Australian government organisations choose Red Hat because of that,” McLaren noted.

Currently, Red Hat Enterprise Linux has been adopted in security-critical applications such as: the U.S. Army’s personnel records management system; the U.S. Navy’s IT environment; the IT infrastructure of Italian City of Marsala’s Town Council; and Europcar Australia’s desktop and server environment.

“The perception in the marketplace is that there is a concern about unsupported software,” McLaren said.

“I think customers feel confident [in Red Hat software] when they understand the difference between unsupported and supported Open Source,” he said, adding that Red Hat Enterprise Linux employs the ‘same level’ of testing as proprietary software.

McLaren described similarities between SELinux and Microsoft’s User Account Control infrastructure that has been introduced with Windows Vista, adding that ‘imitation is the best form of flattery’.

But according to Bruce Schneier, Open Source security is so far beyond that of software giant Microsoft that the comparison is moot.

”Comparing the security of Linux with that of Microsoft Windows is not very instructive,” he told iTnews. “Microsoft has done such a terrible job with security that it is not really a fair comparison.”

brucedigitaleducationhatkasperskylabopenredschneiersoftwaresource