Open Source Cybersecurity

May 27, 2011

According to an article at the LiveScience site, a new initiative has been launched by the US Department of Homeland Security to investigate the suitability of open-source software to satisfy cyber-security requirements.

A new five-year, $10 million program aims to survey existing open-source software to find those that could fill “open security” needs. Called the Homeland Open Security Technology program, or HOST, it also may plant seed investments where needed to inspire innovative solutions that can fill gaps in cybersecurity defenses.

The program does not aim to mandate open-source solutions, but to examine the degree to which they might meet identified needs.

One obvious attraction of this approach is that open-source software is often (though not necessarily) free, meaning that the government could save on licensing costs.  A potentially bigger advantage, in my view, is that open-source solutions can offer superior security.  As I’ve discussed here before, it is an accepted principle in cryptography that the only methods that can be regarded as secure are those which have been made available for scrutiny.  There is a very considerable body of evidence  to support the idea that “security by obscurity” does not work, despite the intuitive appeal of keeping everything secret.  In the software world, there has certainly been no lack of security flaws in proprietary, closed-source software; perhaps more to the point, the lack of general availability of  the source code has not prevented the Bad Guys from finding those flaws.

The HOST program is part of a general security push in connection with the legislative proposals recently issued by the White House.  I’ll discuss those in a future post here.

%d bloggers like this: