Terry Bollinger, from Mitre, is discussing the report that was recently released on "Use fo Free and Open Source Software (FOSS) in the U.S. Department of Defense." The report is based on a study (survey) done by Mitre in 2002 for DISA. The survey found 115 FOSS applications with 251 typical examples. Apache, PERL, and Linux, not surpirsingly were the most popular. The report is over 162 pages long (Mitre knows well what the government wants from a contractor) and represents an exhaustive look at FOSS and its use in the DOD.
The report found that security of FOSS was noted by users as a feature. Most DOD intranets wouldn't work without it, software development was clearly tied to its use, and cost is seldom the reason for choosing to use FOSS.
The report found that for security:
- FOSS has applications that have been intensively reviewed from a security and reliability perspective. .
- FOSS includes much of the most advanced work and tools for analyzing networking system weakness. This reminds me of when I showed up at Utah and questioned why were spending money on intrusion tetection software while the best one, Snort, was free. They said "can we do that? I tought that was prohibited. "
- FOSS concept of user autonomy enable rapid responses to novel types of infrastrcutre attacks. The issue is bascially that security attacks reported as bugs to a commercial company involve unreliable communication channels and the reponse by commercial companies, as they struggle to protect their IP, is done through ineffective channels.
- FOSS provides "auto-escrow" for software, thus protecting users from the concerns that they might otherwise have with respect to a small company.