On the surface, open source software seems like a great deal for small and medium-sized businesses (SMBs). It's
free and freely available on the Web -- which is always in the budget. But best of all, it's supposedly more secure than off-the-shelf commercial software.
But does open source software live up to its touted security credentials?
True, its source code is open and gets picked apart, played with, hacked and tweaked over and over by developers and software gurus worldwide. But open source software, just like its commercial counterpart, still needs to be hardened, patched and locked down before it's deployed.
Here are five best practices SMBs should employ to keep open source applications safe and secure.
Software inventory. If you haven't done a software inventory, do one. An inventory provides a measure of control over what's installed in-house. Even in a small company, the number of software applications -- open source or otherwise -- can get out of hand. And while purchased commercial software leaves a paper trail of invoices for record-keeping, open source software can be downloaded right off the Web without leaving a trace.
Not only should logs with download dates and times be kept, but all open source software should also be checked for integrity before being installed. Open source software comes with MD5 hashes or GNU Privacy Guard signatures to verify that what was downloaded is whole and complete. If the software doesn't pass an integrity check and needs to be downloaded again, this should be noted in a log, too.
Patch management. Patch management for open source software can be tricky, but it's crucial. Release cycles and update schedules often aren't in sync, making patch planning difficult, but it can be done.
For SMBs with a small open source software base, manual patching may be the cheapest, if not only, option. You'll need to manually check and apply open source patches for technologies like Apache and Jakarta, products that have regular release cycles for patches but lack automated updates like Linux systems.
Another option for smaller SMBs is to regularly check open source Web sites and automatically install updates via scripts. Scripts can be written by most system administrators and set to run in off hours -- weekends or in the middle of the night -- at regular intervals.
But as an SMB grows, manual updating and scripts become unrealistic, and patch management tools are the next step. Unfortunately, most patch management tools are geared toward Windows updates. But a few products also update open source software, including PatchLink Update and Shavlik Technologies LLC's NetChk Protect.
Network and firewall compatibility. Open source software, like all software, may require the opening of specific TCP ports for Internet access. But be sure when doing so to not open other security holes in your network.
Also, it's important that open source software is compatible with your existing network security architecture. If adopting a given open source application or software requires radical changes to your architecture that could compromise network's security, you might want to reconsider whether it's right for your company and look for alternatives.
Access management. You should change all default security settings as soon as any open source software is installed to keep out hackers, who often keep lists of common user IDs and passwords.
Also, where possible, upgrade the built-in access management systems that come with open source software. Apache, for example, employs basic and digest authentication -- weak systems that can be easily broken by hackers -- and uses a file called "htaccess" to provide password protection to restrict access to certain Web site directories. Don't rely solely on these, as there are many better ways to restrict access using Apache's configuration files and security modules or to lock down access on the server itself using the operating system.Open source software, just like its commercial counterpart, still needs to be hardened, patched and locked down before it's deployed in the enterprise.
Test and scan. Tools from Fortify Software Inc. and Ounce Labs Inc. can scan for software vulnerabilities, while WebInspect from SPI Dynamics and AppScan from Watchfire Corp. can check for vulnerabilities in Web sites running Apache or other open source Web servers.
Ultimately, open source software is more secure than its commercial counterparts, but care should still be taken to ensure that it's installed, configured and patched securely. SMBs, which have less money and resources to play with, may have to be more creative than larger companies to do so, but they still can and should do it, too.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP specializing in Web and application security, and is the author of The Little Black Book of Computer Security available from Amazon. He has a radio show on computer security on WIIT and runs The IT Security Guy blog at www.theitsecurityguy.com.