Claims that open source software compromises security are largely false and misleading, a Waltham, Massachusetts-based software risk analysis company said today.
Officials with Ounce Labs Inc. say that the relative security of software – be it open source, commercial or home-grown – really just depends on whether security was a top priority during the development cycle.
According to Jack Danahy, Ounce’s co-founder and chief technical officer, there’s little difference in the overall security of open source programs and those developed in a more proprietary manner.
“Our own people, our partners, and our customers have used the Ounce Labs’ suite of tools to examine literally billions of lines of code, and there is not a stark differentiation between the two,” Danahy said. “The bottom line is this: There is an endless supply of both secure and vulnerable software across the commercial, open source and proprietary domains. The assessment of the scope, severity, and situational impact of those vulnerabilities should be a core process in any software acquisition, regardless of the source.”
The relative security of open source solutions is a hot topic now, as the technology picks up market share in this slower economy. Generally speaking, many organizations choose open source over commercial technology for its flexibility, cost, and enterprise-level features.
As TMCnet reported just hours ago, the company that created and develops Asterisk (News - Alert), the popular open source telephony platform, reportedly is joining a British group to provide new call center services.
Officials at Hunstville, Alabama-based Digium Inc. say they’ve started work already with Orderly Software, whose flagship software-based product – “OrderlyQ” – is designed to optimize call center queuing by leveraging companies’ existing technology.
Digium (News - Alert) has been using the Exeter-based Orderly Software’s call center management and monitoring platform, “OrderlyStats,” for a while in its own call center, according to Jim Webster (News - Alert), the Asterisk company’s director of technology partnerships.
“We found OrderlyStats to be among the best real-time management and historical statistics packages we have seen,” Webster said. “We are looking forward to working closely with Orderly Software to further enhance their Asterisk offerings.”
Of course, that’s not to say companies seeking an IP telephony solution shouldn’t concern themselves with security.
As Ron Meyran, product marketing manager of security for Radware Ltd., an integrated application solutions provider, told TMCnet in an interview here, since VoIP offers voice services over a shared IP infrastructure, VoIP that’s based on SIP, is exposed to IP based attacks that do not exist in the PSTN.
“There are SIP vulnerabilities – SIP is a protocol that includes vulnerabilities such as buffer overflows, malformed SIP packets, SIP SQL injections,” Meyran told us. “There are SIP service misuse – including SIP server scans to build a data base of SIP users registered to the service and then launch Spam over Internet Telephony (News - Alert); SIP brute force attacks, stealing the identity of legitimate users; SIP Invite or Bye floods that can slow down or even shut down the SIP service and more.”
For Danahy, open source software can deliver enormous value and it’s not difficult for enterprises to perform the necessary analysis and remediation to ensure that it has suitable security.
“This is why organizations like the U.K. government can investigate and potentially accelerate the use of open source software,” he said. “They understand that open source is no less secure than any other form of software, as long as all software is analyzed in advance of deployment by either the developer or the purchaser, to ensure that it meets the necessary security requirements.”
Don’t forget to check out TMCnet’s White Paper Library, which provides a selection of in-depth information on relevant topics affecting the IP Communications industry. The library offers white papers, case studies and other documents which are free to registered users.
Michael Dinan is a contributing editor for TMCnet, covering news in the IP communications, call center and customer relationship management industries. To read more of Michael's articles, please visit his columnist page.
Edited by Michael Dinan