Ask HN: My infosec auditor rejects open source. What now?
We're obligated to complete a new proprietary audit and we’ve hit a snag: the auditor doesn't accept open source, but her disapproval is inconsistent. pfSense is questionable. Elastic fails to meet her standards. OpenVPN passes. AlienVault OSSIM fails. Linux generally passes. Firefox fails.
She suggests that open source projects can disappear without notice. For instance, instead of AlientVault OSSIM, she prefers AlienVault's premium USM, despite USM’s reliance on the same open source projects.
Is this any better? Does AlienVault have the resources to maintain major components of their system after my auditor’s worst fears for open source are fully realized? Is the OSSEC project in any danger of collapsing soon? Are the linux kernel developers getting ready to close up shop?
Risk calculation is tricky, but I would accept those associated with these projects disappearing any time soon.
We invested in infrastructure upgrades this year in response to this audit. We don’t have the resources to acquire more commercial solutions when there appears to be acceptable (and popular) free and open source alternatives. We’ve already deployed AlientVault OSSIM at our sites, along with a few Elastic stack nodes. We use these systems to satisfy log aggregation, HIDS, IDS, IPS, and vulnerability detection requirements, etc. She shelved the discussion for now, but the issues on her tracker have yet to be remediated.
How do I move forward? Are there any resources I can share with her making my case for open source software?
tl;dr: Our auditor arbitrarily objects to open source for remediating security risks. How do I convince her these software solutions should be acceptable?
17 comments
[ 3.4 ms ] story [ 39.9 ms ] threadLong answer: it's a risk game, you may get away by showing that you have processes in place to manage this risk for open source projects: * internal backup of the source tree. * in-house skills to perform basic patching of the software if the development get discontinued. * alternative solution and roll-out plan in case the development of your current solution gets discontinued. * ...
Finally, risks can be accepted and someone ("the business") can sign-off on them. You don't have to remediate everything. It's just an awareness exercise for "the business".
If however its a more general/vague concern about OSS support then you'll have a hard time dealing with it and acceptance may be the appropriate route.
1. They can't. Someone can decide to stop working on a project, but it can not disappear.
2. You know what can disappear? commercial products.
This this this this! In fact, commercial software is GUARANTEED to disappear. Once it is no longer profitable to support the software, the commercial outfit has a duty to stockholders (in the case of public companies) to abandon the software and their customers. Once it's abandoned, it's impossible to provide support. At least with open source projects, you have both pieces of the broken case to glue back together when it brakes. If you are a Red Hat customer, I bet they would be game to talk to your auditor about the merits and benefits of open source security.
Here's a DOD guide to OSS, it might help a bit? Very interesting that the Government defines OSS as a subset of commercial software - "commercial" means anything available to the public, as opposed to private software. They do not distinguish between paid and free software or between companies and individuals.
http://dodcio.defense.gov/Open-Source-Software-FAQ/
See specifically the section "Why is it important to understand that open source software is commercial software"
Also see "Is there any quantitative evidence that open source software can be as good as (or better than) proprietary software?"
And there are links to resources for evaluating OSS licenses.
As others say, it sounds like you need a better auditor.
There are entire vendors who specialize in selling open-source software with commercial support; Red Hat is the most famous example.
We also maintain a premium OpenDNS account, integrated with Active Directory to assist in web content filtering. Because the word 'Open' appears in the product's name, she assumed that the solution was FOSS, and determined that it was insufficient in the context of the audit she was conducting.