Open source courses through DOD

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/1028/web-open-11-01-02.asp

By Dan Caterinicchia 
Nov. 1, 2002

What would happen if open source software were banned in the Defense
Department?

A recent study conducted by Mitre Corp. for DOD posed that
hypothetical question and found this answer: The department's
cybersecurity capabilities would be crippled and other areas would be
severely impacted.

Mitre Corp. was asked to develop a listing of open-source software
applications at DOD and to collect representative examples of how
those applications are being used. Over a two-week period, an e-mailed
survey identified 115 applications and 251 examples of use, and
Mitre's report acknowledged that actual use could be "tens of
thousands of times larger than the number of examples identified."

To help analyze the data, the hypothetical question was posed: What
would happen if open-source software were banned at DOD?

Version 1.2 of the report, "Use of Free and Open Source Software
(FOSS) in the U.S. Department of Defense," was released Sept. 20 to
the Defense Information Systems Agency (DISA), and found that
open-source software applications are most important in infrastructure
support, software development, security and research.

"The main conclusion of the analysis was that FOSS software plays a
more critical role in the DOD than has generally been recognized,"  
according to the report.

In open-source software, such as Linux, the source code is publicly
available and gives users the right to use, copy, distribute and
change it without having to ask for permission from any external group
or person.

After receiving a working draft of the report in May, DISA solicited
insights from DOD and the private sector, said Rob Walker, DISA's
Net-Centric Enterprise Services program manager, in a presentation at
an open-source conference in Washington, D.C., this week.

The examination raised three concerns about the use of open-source
software:

* Exposing system vulnerabilities.

* Introducing Trojan software, which is hostile software covertly
  placed in ordinary applications.

* Developing new software that incorporates "general public license"
  (GPL) source code. This means the entire new product must be given a
  GPL, which would impact DOD software development and research areas.

Walker's presentation dismissed the first two concerns, finding that
the pre-emptive identification of security holes by friendly analysts
outweighs the danger of hostile attacks, and that the introduction of
Trojan software in open-source environments is no greater than in
proprietary ones.

DOD officials' main open-source concern involves the licensing, but
"with reasonable care, GPL software can be used without disrupting
other licenses," Walker said. He added that the introduction of
unusually restrictive licenses, like some used by Microsoft Corp.,
"presents a more significant issue."

Mitre's report recommended three policy-level actions to help promote
optimum use of open-source within DOD:

1. Create a "generally recognized as safe" open-source software list
   to provide official recognition of applications that are
   commercially supported, widely used, and have proven track records
   of security and reliability.

2. Develop generic policies to promote broader and more effective use
   of open-source, and encourage the use of commercial products that
   work well with the software. A second layer of customized policies
   then should be created to deal with the four major use areas --
   infrastructure, development, security and research.

3. Encourage the use of open-source to promote diversity in systems
   architecture, which would reduce the cost and security risks of
   being fully dependent on a single software product.
 
 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.