Those responsible for enterprise  security are increasingly turning to open-source applications in lieu of security products based on proprietary code -- and for many good reasons.
"Where open-source tools have an advantage in an enterprise is in their timeliness," said cryptography guru Ed Moyle of Security Curve. "Since no budget has to be allocated to deploy an open-source tool, it can often hit the ground faster than a commercial counterpart."
On the other hand, there is the question of accountability, Moyle noted. "Since there is no commercial entity overseeing a tool, on whom can the enterprise place pressure for added features or support?"
According to most security professionals, a top-tier, open-source security tool must have sufficient history to allow a practitioner to use it with confidence. And it must have a sufficiently large developer base to ensure that fixes will be available in light of discovered vulnerabilities.
Also, it must have a reasonably large user base so that support questions will already have been answered in a public forum. But there are many tools that meet these requirements and are in fact deployed at many large companies.
Tackling Basic Security Issues
Anthony Nadalin, Chief Security Architect for IBM's software group, recommends Bouncy Castle crypto interfaces and OpenSSL -- an open-source implementation of the secure sockets layer (SSL) and transport layer security (TLS) protocols.
"What most customers are looking for are secure, reliable transactions," Nadalin said. Bouncy Castle and OpenSSL form the basis for crypto and transport-level security, Nadalin said, which is one of the base requirements every customer has.
Indeed, OpenSSL is at the top of nearly everyone's list. "I don't think the impact of OpenSSL can be overstated," said Yankee Group senior analyst Andrew Jaquith. "It single-handedly democratized encryption by making a very high-quality implementation available for everyone to use -- and all for free."
OpenSSL is commercial-grade and interoperates with digital certificates issued by public certificate authorities like VeriSign, Thawte and GoDaddy. "Equally important, it includes the ability to generate your own private certificates for testing purposes," he said.
OpenSSL also includes a library of basic crypto functions essential for validating the integrity of downloads from third-party sites via checksum algorithms.
Remote Connectivity
OpenSSH is another software package that comes highly recommended. This open-source implementation of the Secure SHell (SSH) session technology is designed to let administrators and users open a command shell on a remote host. (continued...)
|
