Penguins at the Gate
Only a few open-source vendors have borne the time and expense of having their software EAL-certified. Red Hat and Novell's SuSE Linux attained EAL3+ ratings in the last year, but many other vendors have yet to do the same. This raises a fundamental question: Does open-source software need security certifications to win global acceptance?
Open source is undeniably on the march. Linux continues to grow at a torrid pace -- now forecast by IDC to represent a US$35 billion market by 2008 -- though it has yet to significantly breach the desktop market. Mozilla's Firefox browser debuted with much fanfare recently, with over ten million downloads recorded in a single month. So far, open source has captured plenty of converts and customers, not to mention media attention and the ire of Microsoft. Is there nothing to slow its mighty advance?
Greater global acceptance of open source depends on three things: continued development of customer-driven applications; a track record of cost-effective adoption by enterprises; and recognition of open technologies as secure alternatives to proprietary software.
At the moment, it is the third element -- security -- that remains underappreciated by many open-source proponents, but not because open source is inherently insecure. The Linux kernel, for example, has fewer flaws than typical commercial software. However, what matters most is not what programmers know, but what customers believe. Chief among the customers to convince: government.
A Chink in the Armor?
When Venezuela's maverick president Hugo Chavez becomes the latest crusader for open source, one might reasonably pause to ask: Has open source really gone global, or has it only taken root at the margins based on the company it keeps?
On both the political and business fronts, the public sector has been a leading indicator -- some say battleground -- in the global open source market. At latest count, governments in at least 36 countries have officially adopted, or at least approved, open-source solutions in their public sector architectures.
In the United States, open source has made notable inroads. According to the U.S. General Services Agency, open-source technology runs up to twenty-five percent of federal Web servers. Agencies including Defense, Commerce, NASA and the Census Bureau visibly use open-source products. Even the Office of Management and Budget has recommended that agencies consider open source in their procurement decisions.
So what is stopping open source from grabbing more territory in the public IT space? Security, among other factors.
As many in the field know, Common Criteria are security standards approved by the International Security Organization and used to test software security. Evaluation Assurance Level (or EAL) certifications, which range on a scale from 0 to 7, apply to software products evaluated according to strict standards for the documentation and testing of security functionality and vulnerabilities.
Only a few open-source vendors have borne the time and expense of having their software EAL-certified. Both Red Hat and Novell's SuSE Linux attained EAL3+ ratings in the last year, but many other vendors have yet to do the same.
This raises a fundamental question: Does open-source software need security certifications to win global acceptance? Does it add any value to the value proposition of open source? Put simply, is certification worth the expense and effort?
Experts may argue over the merits of certification. Certainly certification does not prove that an open-source system is secure. Microsoft's Windows 2000 holds an EAL4 certification, for example, and few consider it a paradigm of security.
Keys to the Citadel
But at the same time, like it or not, many governments and enterprises require assessments of the security and assurance of technology products before committing to large-scale procurement.
By relying on a paper assurance above the proof of a secure software deployment, is certification, in some sense, putting the cart before the horse (or the penguin)? Well, in a word, yes.
Certification does not guarantee the security of any deployment. Rather, it is a confidence-boosting measure. At the very least, EALs offer some comfort that an independent evaluation has been done. More importantly, it is part of a process that reinforces the perception (and reality) that open-source software is a viable alternative to its proprietary competitors.
Certification is costly, and arguments over the total cost of ownership already dog open source. But certification lowers the TRO -- total risk of ownership -- and perhaps may allow enterprises to avoid a debilitating TKO (technical knockout) of a mission-critical system. The goal is increased confidence, not a guarantee of perfect system security. In this process, certification is just one form of risk management.
More often than not, governments are driving this horse. For open-source vendors to compete for this customer set, they need to face public-sector demands for certification. The good news, however, is that they need not face this alone. Governments have been a crucial catalyst and partner.
Given the stakes involved, security certification for the deployment of open-source software is an area of opportunity for industry, and one ripe for public-private partnerships, especially in situations where security is at a premium.
Though a rare occurrence today, examples exist. The Department of Defense has collaborated with Hewlett-Packard and the Open Source Software Institute to certify open-source components for applying strong cryptography to certain applications. More recently, a consortium of companies won a multi-million contract from the French Ministry of Defense to improve Linux security by boosting the open source operating system to meet the Common Criteria EAL5.
When industry and governments pursue greater collaboration on certification, open source will cross the final threshold to global acceptance.
Jeffrey A. Kaplan is the Founder and Director of the Open ePolicy Group, based at the Berkman Center for Internet & Society at Harvard University. He can be reached at firstname.lastname@example.org.