1 / 12

Open Source In the DoD

Open Source In the DoD. Dawn Meyerriecks Chief Technology Officer Defense Information Systems Agency (703)882-1000, meyerrid@ncr.disa.mil. DoD Definition: Open Source Software. Software such that the source code is publicly available and others may modify and redistribute it.

lruiz
Download Presentation

Open Source In the DoD

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Open Source In the DoD Dawn Meyerriecks Chief Technology Officer Defense Information Systems Agency (703)882-1000, meyerrid@ncr.disa.mil

  2. DoD Definition:Open Source Software Software such that the source code is publicly available and others may modify and redistribute it

  3. DoD Use ofOpen Source Software • Survey conducted in March, 2002 identified four main categories of open source software usage: • Infrastructure support • Software development • Security • Research

  4. Why is Open Source Important? • Open source products are deeply embedded in the DoD • Apache - Over 60% of the web pages on the world wide web are presented via Apache.* • TCP/IP - The underlying basis of the Internet; Its creation was funded by DoD. • Sendmail - moves mail from one machine to another; carries nearly 90% of e-mail traffic* • Linux - Unix-like operating system with over 18 million users.***Widely used to support Apache, TCP/IP, and Sendmail services. • Perl - An open-source-only programing language that is widely used to make web pages “smarter” • Open source development is widespread and international • SourceForge.org - 77,000 projects and 804,000 registered users • Open source processes extensible to DoD challenges • DoD adopting “community source process” based on CollabNet framework for Next Generation Core Enterprise Services * O’Reilly, Tim, Linux eSeminar Series, 1999. ** O’Reilly and Ether Dyson, “Open Mind, Open Source.” *** The Linux Counter

  5. Concerns With UsingOpen Source Software • DoD Senior Leadership Solicited Comments from Defense and Industry • Concerns raised: • Exposing Vulnerabilities • Introduction of Trojan Software • Capture of Software by GPL Licenses DoD Funded Study to Examine Reliability and Security Claims of “Both Camps”

  6. Reliability and Security:Better or Worse? • Attributes of the Study: (1) Questions to be Answered • Defect rate/Defect repair time? • Availability of the product? • Vulnerabilities/Resolution time? • Criticality of the vulnerabilities? (2) Utilize Existing Systematic Studies of the Questions • Separate Tightly Held “Philosophy” from Solid Research • “Open source is more secure”… because it is more rigorously reviewed • “Proprietary software is more secure”… because access to code is limited (3) Consider Confounding factors • Skill of the individual programmers • Corporate policies and priorities • Market share/exposure • Proliferation of versions (in both open source and proprietary software)

  7. Reliability and Security:How Much Solid Data Exists? • Major Studies (1) “Fuzz Revisited”, B.P. Miller, University of Wisconsin, 1995 (2) “An Empirical Study of the Robustness of Windows NT Applications Using Random Testing”, J.E.Forrester, 2000 (3) Zdnet 10-month reliability test:Red Hat Linux, Caldera Systems OpenLinux and Microsoft's Windows NT Server 4.0 (4) Bloor Research 1 year test of Linux vs NT, 1999* (5) Syscontrol AG website uptime survey of 100 popular Swiss sites, Feb 7 2000 (6) SecurityFocus, Linux vs NT vulnerability counts, August 2001 (7) Reasoning Characterizations, On-Going, Multiple Products Bottom line: Some useful comparisons exists case-by-case, but there is a lack of solid data to support a single position

  8. Security and Reliability Conclusions General Proprietary-versus-Open Source Discussions for Security or Reliability Reflects POOR Software Engineering Practice • NO Substitute For: (1) Well-Structured Development Process • For Proprietary/Government developed: Software Engineering Institute Capability Maturity Model Certification, or other process maturity methods (e.g., Agile) • For OSS: “Two Case Studies of Open Source Software Development: Apache and Mozilla”, Mockus, Fielding, Herbsleb, 2002 (2) Security Savvy Programmers with Clear Objectives • Berkeley Unix System Development (especially the OpenBSD example) • Microsoft Longhorn? (via renewed emphasis on security in Microsoft)

  9. May 28, 2003 MemoOSS in DoD • OSS Must Comply with all Applicable DoD Software Policies • Includes National Security Telecommunications and Information Systems Security Policy Number 11

  10. Conclusions • Use the Right Tool for the Job • Handle OSS and Proprietary Software Appropriately • Practice and Preach Responsible Systems and Software Engineering Discipline • Avoid “Hype”, “Philosophical Camps” • Base Tool Selection on Applicable System Engineering Disciplines and “Real” Data • Encourage Academia and Industry to Continue to Characterize/Evolve Sound Engineering Practices and Products/Services

  11. Questions

More Related