Asterisk Featured Article

I received a press release from Fortify Software today, suggesting that in the face of growing calls for Government procurement officials to embrace open source projects, officials need to be wary, and insist on secure development processes for any open source considerations.

 

Here’s an excerpt:

 

 

 

 

 

 

I reached out to Digium’s (News - Alert) John Todd, Asterisk Community Director, for his thoughts regarding the issue of security in open source as well as the need for Government to consider open source projects alongside so-called “commercial” software. His responses follow.

 

JT: Digium is in complete agreement with the assertion that Open Source should be considered alongside “commercial” software wherever possible. In many cases, Open Source is the current leading solution — see the Apache Web server, or Postfix/Sendmail mail servers, or many other examples. It is our belief that most Open Source solutions are preferable, but have a much smaller marketing and sales capacity and therefore will often go overlooked in circumstances where extensive administrative “hand-holding” is required to implement a solution, as in government environments. Open Source software saves money, provides security, allows rapid transformation, and is often a better solution that commercial packages, and should therefore be given additional assistance in the consideration process to ensure equal comparison on technical merits.

 

JT: Digium strongly disagrees that OSS is less secure. In fact, it is clearly the opposite — transparency provides security audits without resistance from vendors. If a full security audit is required of an open-source package, it can be done without any permissions or oversight or refusal by the vendor. Confidence is evidenced through transparency — anything less than complete source availability almost certainly implies hidden security issues that will only be known once they are exploited, with no chance of discovery and repair prior to abuse. To believe otherwise is a fallacy, though vendors of closed-source software are desperate to convince otherwise anyone gullible enough to listen.

 

Both Open-Source and closed-source software need constant vigilance and testing to ensure compliance with security standards. But Open Source has advantages. It is our belief that Open-Source code is inherently more secure than closed source code. Why? One of many reasons is that widely-used Open-Source programs are under constant scrutiny from large numbers of very capable programmers. A person or group that commits code that is insecure is subject to professional discrediting, so there is a high incentive to submit code that is secure. When code weaknesses are found (as is inevitable in all complex software) changes are made in near-real-time in some instances — certainly faster than closed source packages ever could hope to provide. Updates can be made incrementally, such as repairing a single source file and re-compiling without having an entire package upgrade or modifying behavior in other unaffected portions of the platform. This leads to more stability, better security, and more rapid response against any threats in a way that closed source software just cannot do by nature.

 
GG: Is security a common concern among enterprise buyers of telephony solutions?

JT: Security is an important concern for telephony operators at all levels of implementation — application providers, service providers, enterprises, and SMB users. There are several levels of security to be considered: security of the systems on which the software runs, security of the applications themselves, security of the VoIP protocols, and security of the network on which the traffic is transmitted. Open Source solutions can provide security in three of those four layers: Linux and BSD-based platforms have been proven to be robust, secure solutions (the NSA distributes a flavor of Linux!), the applications can be wrapped in various OSS security models or filters to secure their interactions with other apps on the same system or other hosts on the network, and the protocols themselves (SIP, for instance) are by definition open-source RFCs with serious thought being put into encryption and authentication layers that are typically first implemented in Open Source software. The network is more of a construct of each organization, and is not a set of code so it is outside the scope of any particular type of closed or open- source implementation. Three out of four is an impressive number of points where hardened security elements can be installed using Open Source.

 

JT: Yes, and in fact that is already happening. Asterisk is being used in federal, state, and local governments extensively due to the low cost of implementation and not requiring budgetary approvals for service- based platforms. Both as a PBX (News - Alert) and as a generalized telephony toolkit, Asterisk is making government more cost-efficient (savings) and more transparent (telephony-based applications for interacting with government agencies.)

 

JT: Throwing federal funding around is akin to dropping a steak into the shark tank — a frenzy erupts, and of course most companies are self-interested in how to get a piece of that funding for themselves.

 

However, I would like to take a more indirect route to economic improvement through centralized funding. If the stimulus package has any incentives for improving or upgrading systems where an Open-Source solution is viable, then I would suggest that the Open-Source solution be given equal technical and administrative consideration despite the shortcomings in being able to invest equally in bid response — an “affirmative action” plan for free software. If an open-source project can potentially solve a bid project (even if it requires minor code changes) then there should be some small funding (1% of bid value?) that would be allocated to an alternate contractor to create a bid for an OSS solution. This would help the economy by funding tools, which were less expensive, and also by their use, create more business tools, which would be usable freely by others. This would feed the loop of efficiency, which would benefit the entire nation.

 

I would additionally suggest that if any work is done on Open-Source software by government employees on existing or new projects, then there should be a blanket requirement that those employees submit the code back to the open-source project. (Exceptions for code directly related to national security.) If tax dollars have directly or indirectly funded code to be written, then there should be an easy way for the agency or individual to submit that code back to the project without having to receive approvals from the various layers of bureaucracy that typically ensnare contributions from government.

 

Currently, it is difficult for government employees to contribute code despite their work being technically “public property” that could benefit others. A Presidential order or Congressional act would be ideal to eliminate those impediments. The nation would benefit at a huge multiple on the expense as other public agencies as well as private firms were able to weave those changes into the tools that improve their productivity.