Open Source Security Strategy

(Le texte en français suit la version en anglais.)

Draft Statement of Rationale: "Open Source Security Strategy".

Information technology security refers to a system's degree of assurance, integrity (i.e. free from tampering), privacy, confidentiality, auditability, reliability (i.e. free from 'bugs' in code, design and architecture), trustworthiness, authorization controls and availability, data/metadata ownership/access/holding/persistence, as well as the efficiency and effectiveness of the system supplier's issue response methodology and performance.

Software security can be enhanced through open source transparency. Certainly, obscurity does not prevent determined individuals from finding vulnerabilities. The open source approach enables you, the customer, to assign supplier-independent experts to:

- Conduct your own security audits of the implemented security policies, the logical architecture of systems, and programming code, right down to the level of running systems line-by-line through tests and debuggers to validate each process or calculation.

- Link system components from multiple suppliers, both open source and proprietary, to achieve architecture management for 'whole systems' (composability);

- Adapt solutions to suit your organization's priorities;

- Engage open scientific peer review with your allies in industry, academia and the public sector, backed by 24X7 issue-management, knowledge-sharing and emergency response;

- Strip away from applications the unnecessary features or functions that could be exploited, or that could hide rogue code ("Trojan horses");

- Manage large software systems effectively with individual modules that are not very complex, and for which dependencies are well documented;

- Avoid being held hostage by the patch release methodology and schedule of any single vendor.

The free/libre and open source business model carries a strong incentive towards the engagement of fully-documented, vendor-neutral international standards. Standards are defined by the WTO Agreement on Technical Barrier to Trade http://www.wto.org/english/docs_e/legal_e/17-tbt.pdf . Auditable conformance with standards strengthens information technology security by reducing uncertainty.

Since the architecture and programming code of 'mature' open source software is collaboratively created by multiple suppliers, it tends to be well documented, so that when 'deep bugs' are found (i.e. architectural level), they can be closed quickly through the pooling of resources and efforts. Open source communities can further improve security by more effectively structuring their peer review processes.

The essential logic of the Open Source Security Strategy is straightforward. "Bad guys" don't honour "non-disclosure agreements" or any "corporate handbook on values and ethics". They have access to the source code for both proprietary and open source systems. Motivated, persistent, and often even paid, they find vulnerabilities and may also write exploits or proof of concept code to demonstrate their find, whether the source code is open or proprietary. They use vulnerabilities against you, and sell the information to their friends. "Good guys" are your friends, and help you find and patch the vulnerabilities in the process of conducting their own security audits. This is why you want independent vendor-neutral scientific peer review of software code by good guys, not just bad guys. This is practical when software code is published under www.opensource.org or www.gnu.org certified open source or free software licenses.

Origins:

The initial wiki-published draft of this statement was the outcome of an earlier draft that was discussed and refined in a public panel discussion during "GTEC 2003 Experts Panel: Understanding Open Source Security Strategy" was held 2:00-3:00 pm, Tuesday 7 October, in the Westin Hotel, Ottawa, Canada. http://www.gtecweek.com.

Participants on the panel included:

Mike Chawrun, Vice-Chair, CAC/JTC1/SC27 (IT Security Techniques). JTC 1 is the Joint Technical Committee of the International Organization of Standardization, and the International Electrotechnical Commission which deals with IT standardization in the international arena. SC 27 is one of JTC 1's more active committees developing standards for IT security. Mike is the vice-chair of Canada's mirror committee of SC 27, and works as a Crypto Standards Specialist at the federal government's Communication Security Establishment (CSE).

Eugen Bacic, MCS, Chief Scientist, Cinnabar Networks Inc. Eugen Bacic heads up Cinnabar Networks' Research and Development division. He has been a leading designer of information security technology for nearly two decades, including early research on firewalls, public key cryptography, trusted audit, network and infrastructure security, malicious software detection, composable systems, policy engines, and security criteria. Before joining Cinnabar, Eugen founded Texar Corporation, a security policy company, and was Sr. InfoSec Research Scientist at the Communications Security Establishment.

Michael Richardson, Project Technical Lead, FreeS/WAN www.freeswan.org Michael Richardson has worked on system software and network stacks for over ten years: SunOS, BSDi, NetBSD and Linux. He spent a number of years building firewalls, then virtual private networks (VPNs) to connect them, then silicon to implement VPNs. Returning in summer 2001 from the depths of such specialization, Michael has been a member of the Linux FreeS/WAN team ever since.

Peter Graner, Enterprise Architect, Red Hat Corporation. Pete Graner started his U.S. Military career as a communications and crypto analyst. During his 16 year tenure, he gained experience on nearly every Unix variant as a programmer or systems engineer. After leaving the military he joined Presearch Inc. For seven years he worked as a software engineer on web-based military intelligence analysis systems and software. In 1999 he was promoted to Senior Scientist responsible for R&D and future systems. Later as a consultant for Sun Microsystems, Pete was responsible for building Solaris & Linux architectures for various U.S. Government agencies. Today, Pete is an Enterprise Architect with Red Hat Inc. where he leads various projects within the U.S. Defense Department and Civilian agencies.

Moderator: Joseph Potvin jpotvin@pwgsc.gc.ca Manager, Enterprise Architecture IT Standards, Architecture and Security Sector, Telecommunications and Informatics Program, Public Works and Government Services Canada (PWGSC), Government of Canada.

Comments:

You reference integrity as (i.e. free from 'bugs' in both code and architecture), whereas I believe integrity in an IT Security context also refers to ensuring that the content of messages sent between users or system components is not modified by those not authorized to modify it. (Bruce Catley)