Free Open-Source vs. Commercial Security Tools?

sahirh asks: "I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools. Through my own experiences, I've found that many free tools such as Nessus and Kismet are more reliable and have better features than expensive commercial alternatives like ISS Internet Scanner or Airopeek. I've also noticed that tools like Ettercap have no commercial alternative. Further, the flexibility offered by the open-source nature of such tools is a great benefit. I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment." Update: 02/07 11:15pm EDT by C : Thanks to all who wrote in to let us know the proper URL to the Kismet site.

Accountability

[JaxWeb]

If I were to choose software protecting my company, I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours. With free software, it is your fault.

However, for protecting yourself, I think there are ethical reasons to use Free Software - Stallman argues that you should choose software for those reasons alone, and not technical reasons. If you listen to Linus, however, he tells us that technical reasons are valid reasons to choose to software. Your decision on this issue is the first step to your overall decision.

Penetration Tester

[RasendeRutje]

Penetration Tester?? Not only looking for the obvious (security) holes, but also the tricky ones? Those you don't normally see? Damn where do you learn that

Don't Forget

[iammrjvo]

There is security implied simply by the fact that the product is open source. That is to say that its failings and potential security weaknesses have been evaluated by a community beyond the original developers and is always open to scrutiny.

Anything, as long as...

[tod_miller]

a) it does the job
b) see a.

I do not see the need to stick to ideals in a world of security, use the best tool for the job, and stay vigilant (if OS is the best tool, then only merit it on this, not the fact that it is OS)

Accountability vs Responsibility

[A nonymous Coward]

How do you know you can get any resolution from the people who sold you the software, or developed it? Have you checked the contracts or EULAs? Most EULAs I've seen explicitly disclaim any responsibilty.

Your responsibility is to protect your company AND get it back on its feet after a breakin. You can't rely on a lawsuit to do that in any timely fashion, only after the company has gone out of business and everyone has long since gotten new jobs. Even then, you'd be lucky to get pennies on teh dollar in restitution. So what good does it to sue the developer or seller?

You have to get the company going again as quickly as possible. It just might be helpful to have sources to what failed to see how it failed and how the breakin occurred. Proprietary software is useless there.

The advantage of creating your own security

[hellfire]

IANASS (...Security Specialist) but to me, logic seems to state that having an open source system has an advantage in that the code is there for everyone to see, and that you can add your own code.

Take physical security as a metaphor. You want to secure your physical plant, so you hire a security specialist. You hire his services and he peruses your building. He suggests locks here, cameras there, and a whole plan on making your business less prone to break-ins and the like.

However, what's so great about this? Two things. One, everything is transparent. It's not like joe security officer is selling you a security package and not telling you where he's going to put that $50,000 you just paid for. He has to give you a full plan (the code!) that you approve of. Plus, the plan is customized for you. It's your plan, not someone elses. It's based on your requirements and your specifications. If a security company comes to you and says they'll put a camera in every room and be done with it, is that really enough for you?

Tie that back to open source. The code for open source security solutions are that plan you need. You can provide input on it and change it as much as you want to match your individual needs. And the code will be more unique than a commercial security program, which is the same from site to site.

I can't say that open source is necessarily for everyone. Maybe a camera in every room is all you need. Maybe you just need a security guard out front. The advantages I see here are businesses where security is an important part of business, and where companies don't want control of their own data in the hands of anyone but themselves.

Agreed

[paranode]

Those are great tools to use and the fact that they are free is even better. The only thing I might recommend replacing for a commercial alternative is Nessus. If you can afford it, something like eEye's Retina scanner is a very nice product. It doesn't come cheap, but if you work in a big corporate environment you can probably justify the cost. Not to mention, Nessus is a bit flaky so if you start crashing machines during your testing you will have some angry people to answer to. Don't get me wrong, Nessus is great for a free tool, but it lacks professionalism and is a bit overintrusive at times, even with the safe settings activated.

Counter-point instead

[RyoShin]

I don't have a lot of experience with free software, but I can tell you why people prefer to pay for it: Security in spending.

Basically, most people (including CEOs and the like) think that the more something costs, the better it must be. After all, if Product A costs you $100 and Product B costs you $5, then there must be a lot more features and hard work put into Product A to make it cost more than Product B.

Plus, when people hear 'open source', they think of crackers/evil people getting their hands on the source code and exploiting all sorts of 'holes'. Since they can find out how it works, it must be really easy for them to exploit it.

I wouldn't be surprised if many people, on first look, would rather pay $10 for a Linux distro rather than get it for free because 'free' has all sorts of bad connotations locked in with it this day and age. They assume it's the difference between going to a 12-year old's lemonade stand and going to starbucks for a smoothie. "You get what you pay for."

Re:Accountability

[fm6]

Telling your CEO "but the tool didn't see that problem" potentially makes you look just as dumb as the tool you paid for.

Why? It's not your job to see the problem. By hiding the implentation of the security software, its designers assumed responsibility for making it reliable.

Passing the buck is standard corporate politics. It's true that this leads to a lot of dysfunctional organizations and bad decisions. But if you choose to fight this trend, you better be very good at what you do. And at covering your ass.

how can you be sure of quality of closed source ?

[Eternally optimistic]

For security applications, how can you say with any confidence that a closed source product does an adequate job? You are not allowed to examine what it does, instead you have to rely on what the vendor says. Maybe some tool is certified by some "trusted" entity in your industry, but you don't have any control yourself. With open source, you can look, or hire someone to look who works for you.

Re:Accountability -- Reminde me not to hire you

[Stephen Samuel]

I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours.

grunt: Admiral! There's a missile comming our way, and the defence systems have just blue screened!

admiral: Thank god I can blame Microsoft for this!
missile: BOOM!

So you'd use inferior software just because you can point the finger at someone else when the software fails??? Wouldn't you rather use the best software for the job (even if it's cheaper)??

I mean, it's not like most commercial vendors take any responsibility for their software, anyways -- have you read your EULA's recently?

At least with open source software, you have the option of fixing any bugs yourself if the vendor refuses to. With Proprietary code, your only choice is to grin, bend over and wait for your bill.

Re:Deploying Software

[Stinking Pig]

Bingo -- same attitude exists in most of the American corporate market, in spades. Maybe rightly so, maybe not, but take note of Red Hat and IBM's successes... this is not about source code or product licensing, it's about that tech support phone number.

Linuxcare and the like flamed out for poor core business practices and poor market targeting (do not ever, I repeat do not EVER, try to make money directly supporting end users). MySQL AB, Best Practical, Trolltech, &c seem to be doing pretty well though....

Different markets

[ectoraige]

The market for commercial security tools is quite different. To begin with, it's smaller than the market for OSS tools. While security professionals may use either, any crackers worth their (or somebody elses) salt are won't be caught using commercial products. Thus, there're probably more 'feature requests' and feedback for the OSS developers to respond to.

Also, a number of commercial products are not written with just the user in mind - the larger ones also involve things like generating pretty reports for use in the CTO's bonus negotiations and suchlike.

Finally, lots of the commercial products try to be competitive by doing everything at once, whereas the OSS tools tend to be more focused on specific functionality, following the traditional unix approach.

Of course, all these points are generalisations and there are exceptions to them all, but that's what you get for asking such a general question.

Re:Accountability -- Reminde me not to hire you

[ifwm]

"So you'd use inferior software"

Commercial is not the same as inferior. MANY MANY commercial products are better than the open source version. Your bias is showing.

Re:Deploying Software

[Locke2005]

4. Uncle Sam's pockets are deep.

Thank you very much for wasting my tax dollars, cretin! Seriously, I think this attitude that the "government has lots of money!" is going to be the downfall of the US... here's a subtle reminder: all the money is taken from hardworking citizens, at gunpoint if need be. Or borrowed against future taking from citizens...

Read your contract with your vendor. Fact is, most commercial software contracts don't protect against anything more than refunding the purchase price, even if completely unfit for the purpose for which it was sold!

Check the license first

[gelfling]

If I recally the openSSH license had some really weird language in it that amounted to "There is a lot of code in this tool. I'm not sure of everything and there may very well be something in here that belongs to someone else. So if they come after you Mr. MegaCorp, don't ask me. It's not my problem."

And that is a bigger problem for our lawyers then the efficacy of the tool itself.

Otherwise, why must it be an either/or decision? Why can't you have a mix of open and commercial and achieve a balance of cost and effectiveness?

Also consider the total lifecycle costs. A $30,000 appliance out of the box may be cheaper than an open source tool running on an 'extra' server you have laying around plus 250 hours/year of your time fucking with it. Sometime the best security is the security that makes the most rational sense for you to afford.