Open Source Security, Part 1: Securing Credibility

Open source applications have come into their own. For some time, open source programmers held much the same reputation as shareware authors. They were little more than experimenters and programming geeks who chose the alternate code-writing route because they could not or did not want to compete in the real software industry of commercial programming.

Now many software developers rely on open source code either in whole or in part. A very workable business model has developed around the concept of building programs around shared or publicly available code.

Often, open source programs are available for free with some free support available from onlinecommunities. Users desiring more enhanced features can buy into commercial-grade open source applications via commercial versions or paying for support for the free version.

Submission Shunned

Nowhere is this open source option more crucial than when it is applied to security applications. Whileopen source products are generally in good supply today in business suites, some quarters in the softwareindustry still carry a bias against the credibility of open source security applications.

Open source network gateway developer Untangle did not expect to find its request for certified testing ofthe popular open source virus security product ClamAV shunned. When it was, Untangle decided to do its own test to see how the open source antivirus product stacked up against proprietary products.

“The age-old debate is rekindled. Which is more secure, open source Clam AV or a commercial antivirusproduct?” Bob Walters, CEO of Untangle, told LinuxInsider.

The Main Problem

A year ago, open source advocate Dirk Morris, Untangle’s founder and CTO, tried to contract withthird-party testing houses to compare open source antivirus products against proprietary securityproducts. He was frustrated in his efforts to find a testing house willing to do an independent test.

In Morris’s view, the open source community produces an antivirus software database as good or better than proprietary software companies because there are so many more people contributing viruses to the open source database on an ongoing basis. However, ClamAV was the only open source antivirus product he tested because there are very few of them in existence.

Untangle decided two years ago it would add an antivirus product to its open source gateway platform.Morris lined up numerous commercial and open source products to test them before selecting which one the company should use. Morris pulled a bunch of month-old viruses from his office in-box for his own tests.

“I was shocked. The results were not at all what I expected,” Morris told LinuxInsider. “I startedthinking that maybe all antivirus products are not the same.”

Taking the Test

Based on the virus-hunting and removal performance, Morris’s own tests led him to determine that ClamAV outperformed all the commercial products he tested. As a result, Untangle decided to go with ClamAV.

However, neither Morris nor Walters was happy about the unsettled debate over open source versus closed source security products. So Morris convinced Walters to take their tests further.

“We found that ClamAV was the quickest with the least drained resources. We also noticed that same thingwith other types of open source security products,” Morris said. “I didn’t believe that open source wasbetter. Now I do.”

Walters agreed. His company uses about 90 percent open source in its products, so using ClamAV based on the company’s own testing for spam and antivirus performance made sense, he said.

“We couldn’t see any differences so we went with the open source option for free. The best of both campswere just as good,” said Walters.

Next Round

Morris declined to identify the testing labs. “Some people clearly are not rooting for open source,” hesaid.

Morris and Walters intended to settle the security product debate at the LinuxWorld Conference and Expo this month by conducting a test on various open source and proprietary security products for all to see.

On the open source side, Untangle aimed to test ClamAV and Global Hurry. The proprietary vendors were represented by Norton, McAfee, Fortinet, Watchguard and SonicWall.

In the contest’s preliminary results, ClamAV caught every one of the 25 viruses thrown at it. Two of the proprietary applications missed many more; one even failed to catch all but a single virus.

All vendors should have caught all of these viruses — none were new and all were quite common, said Morris.

“Some of these products are so bad it’s a scam to sell them as antivirus solutions,” he commented.

Information is available on how the community builds the virus database for ClamAV.

Browser-Based Breaches

Some security experts see the debate of open source versus proprietary security products as incomplete inisolation. One of the most common infection routes for spam and viruses is the Internet. The questionof which browser is used — open source or proprietary — becomes part of the argument.

“Attacks against both proprietary and open source browsers are somewhat the same,” Paul Zimski, seniordirector of product and marketing strategies for PatchLink, told LinuxInsider. PatchLink provides patchand vulnerability management solutions.

Browsers have to go on the Internet and fetch mobile code. It is a constant struggle to lock downapplications, regardless of the source of their code, he said.

Open Source Security, Part 2: 10 Great Apps

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Enterprise

LinuxInsider Channels