/usr/lib/info -- hacker/librarian haven
Front Page News Features
Software Events Standards
Ask Anything Opinion Diaries
Reviews . MLP . Everything
Article Review: Calculating the Total Cost of Development: Is open source security really free?

By jaf, Section Reviews
Posted on Thu Sep 19th, 2002 at 06:40:02 AM EST
Often people ignore the "hidden" costs of adopting open source software. How much does OSS cost to implement? And is it more secure then off-the-shelf code? This white paper by RSA security tries to address these issues. The paper's conclusion is that it is safer and less expensive, over the long run, to purchase than to use OSS. Might this paper be a little less than objective, based on the fact that RSA sells security-based software? Could be. Read more below for a full-review.


The paper starts off by stating it will outline nine main factors to help a business manager make the build or buy decision, based on ROI. However, it concentrates mostly on cost of building security into a project, as opposed to a wider-scoped development arena.

Early on, the author(s) state that "most companies who develop in-house security solutions rely on open source code often do so because they believe it is 'free'". However, there is no reference or other data to back up this assertion. It is unfortunate that this assertion is not validated, as a good portion of the paper focuses on costs. However, the paper also focuses on the comparison of Open Source security software vs. commercial-based security software, and makes some rather questionable assumptions here as well.

Let's look at each assertion in the document, and discuss its merits:

  • Non-commercial software from an untrusted source can add 2-6 weeks of an engineer's time to review for quality

    What about non-commercial software from a trusted source? Sure, if there are questions about the trustworthiness of the software, you will probably want to spend some extra time reviewing the code. But at least you have that opportunity - before you decide to purchase or commit to the code.

  • Government security certifications that ship with commercial software can cost $50,000 - $100,000 and take 2-3 months of engineering if developed in-house.

    Well, this is a bit beyond my area of expertise, so I may not be reading this assertion correctly, but my interpretation is that a risk of not using a commercial security product is that there will be enormous costs in getting your product certified as secure. Wouldn't you need to certify your implementation and integration of the security code anyways? (Maybe not; could someone clarify?)

  • Liability risks of using non-commercial software can range from $100,000 to millions if there is patent infringement or security vulnerability that exposes an end-customer's business.

    This appears to be a FUD arguement. There is no difference in the costs of liability whether using commercial or open-source software; perhaps the buck could be passed to the commercial developer, but then again, the license agreement might disavow them from any responsibility (I haven't seen the license agreements for this type of software, but I imagine there must be some disclaimers in there. If not, please let me know). As to patent infringement - well, that's a risk with any software that you develop, security or otherwise.

  • Customizations that ship with commercial products will take in-house engineers anywhere from one week to 2 months to build per optimization (porting, code reduction, processing and algorithm optimizations).

    Okay, seems reasonable. So? Is it different for Open Source Software?

  • Developers that use commercial products benefit because the documentation and sample code provided can help them get to market 40 percent faster with fewer errors

    Really? With any commercial security product? Show me the data.

  • It costs 60-100 percent more to fix a security vulnerability on your own, if it is discovered after production

    No doubt it costs much more to fix a software bug or vulnerability after release than before the customers get the product; once again, this is no different for OSS than for commercial software.

    Review Conclusion

    The discussion of the paper above is probably enough to give you an impression of the validity of its arguements. You can read the paper itself to form your own conclusion, but in my opinion, this paper is really a somewhat thinly disguised marketing tool. However, it does contain a few good points concerning areas to address in each step of the development lifecycle, if you can filter it out. Overall, I find fault with many of the arguements, assertions, and assumptions in the paper.
  • < Intel to add DRM into Next Generation CPU's (0 comments) | FRBR & Topic Maps (0 comments) >

    submit story
    create account
    recommended reading
    editorial guide

    Make a new account

    Related Links
    This white paper
    More on
    Also by jaf

    View: Display: Sort:
    Article Review: Calculating the Total Cost of Development: Is open source security really free? | 0 comments (0 topical, 0 editorial, 0 pending) | Post A Comment
    View: Display: Sort:

    Powered by Scoop
    All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest 2002 The Management

    front page | submit story | create account | faq | search