Slashdot Mirror

← Back to Stories (view on slashdot.org)

Free Open-Source vs. Commercial Security Tools?

Posted by Cliff on from the don't-buy-into-the-FUD dept.

sahirh asks: "I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools. Through my own experiences, I've found that many free tools such as Nessus and Kismet are more reliable and have better features than expensive commercial alternatives like ISS Internet Scanner or Airopeek. I've also noticed that tools like Ettercap have no commercial alternative. Further, the flexibility offered by the open-source nature of such tools is a great benefit. I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment." Update: 02/07 11:15pm EDT by C : Thanks to all who wrote in to let us know the proper URL to the Kismet site.

9 of 234 comments (clear)

  1. Accountability by JaxWeb · · Score: 3, Insightful

    If I were to choose software protecting my company, I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours. With free software, it is your fault.

    However, for protecting yourself, I think there are ethical reasons to use Free Software - Stallman argues that you should choose software for those reasons alone, and not technical reasons. If you listen to Linus, however, he tells us that technical reasons are valid reasons to choose to software. Your decision on this issue is the first step to your overall decision.

    --
    - Jax
    1. Re:Accountability by fm6 · · Score: 3, Insightful
      Telling your CEO "but the tool didn't see that problem" potentially makes you look just as dumb as the tool you paid for.
      Why? It's not your job to see the problem. By hiding the implentation of the security software, its designers assumed responsibility for making it reliable.

      Passing the buck is standard corporate politics. It's true that this leads to a lot of dysfunctional organizations and bad decisions. But if you choose to fight this trend, you better be very good at what you do. And at covering your ass.

  2. Penetration Tester by RasendeRutje · · Score: 3, Insightful

    Penetration Tester?? Not only looking for the obvious (security) holes, but also the tricky ones? Those you don't normally see? Damn where do you learn that

    --

    If Microsoft was mass, stupidity would be gravity.
  3. Accountability vs Responsibility by A+nonymous+Coward · · Score: 4, Insightful

    How do you know you can get any resolution from the people who sold you the software, or developed it? Have you checked the contracts or EULAs? Most EULAs I've seen explicitly disclaim any responsibilty.

    Your responsibility is to protect your company AND get it back on its feet after a breakin. You can't rely on a lawsuit to do that in any timely fashion, only after the company has gone out of business and everyone has long since gotten new jobs. Even then, you'd be lucky to get pennies on teh dollar in restitution. So what good does it to sue the developer or seller?

    You have to get the company going again as quickly as possible. It just might be helpful to have sources to what failed to see how it failed and how the breakin occurred. Proprietary software is useless there.

    --
    Infuriate left and right
  4. Counter-point instead by RyoShin · · Score: 3, Insightful

    I don't have a lot of experience with free software, but I can tell you why people prefer to pay for it: Security in spending.

    Basically, most people (including CEOs and the like) think that the more something costs, the better it must be. After all, if Product A costs you $100 and Product B costs you $5, then there must be a lot more features and hard work put into Product A to make it cost more than Product B.

    Plus, when people hear 'open source', they think of crackers/evil people getting their hands on the source code and exploiting all sorts of 'holes'. Since they can find out how it works, it must be really easy for them to exploit it.

    I wouldn't be surprised if many people, on first look, would rather pay $10 for a Linux distro rather than get it for free because 'free' has all sorts of bad connotations locked in with it this day and age. They assume it's the difference between going to a 12-year old's lemonade stand and going to starbucks for a smoothie. "You get what you pay for."

  5. how can you be sure of quality of closed source ? by Eternally+optimistic · · Score: 3, Insightful

    For security applications, how can you say with any confidence that a closed source product does an adequate job? You are not allowed to examine what it does, instead you have to rely on what the vendor says. Maybe some tool is certified by some "trusted" entity in your industry, but you don't have any control yourself. With open source, you can look, or hire someone to look who works for you.

    --
    What keeps me going is my inertia.
  6. Re:Accountability -- Reminde me not to hire you by Stephen+Samuel · · Score: 5, Insightful
    I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours.

    grunt: Admiral! There's a missile comming our way, and the defence systems have just blue screened!
    admiral: Thank god I can blame Microsoft for this!
    missile: BOOM!
    So you'd use inferior software just because you can point the finger at someone else when the software fails??? Wouldn't you rather use the best software for the job (even if it's cheaper)??

    I mean, it's not like most commercial vendors take any responsibility for their software, anyways -- have you read your EULA's recently?

    At least with open source software, you have the option of fixing any bugs yourself if the vendor refuses to. With Proprietary code, your only choice is to grin, bend over and wait for your bill.

    --
    Free Software: Like love, it grows best when given away.
  7. Re:Deploying Software by Stinking+Pig · · Score: 4, Insightful

    Bingo -- same attitude exists in most of the American corporate market, in spades. Maybe rightly so, maybe not, but take note of Red Hat and IBM's successes... this is not about source code or product licensing, it's about that tech support phone number.

    Linuxcare and the like flamed out for poor core business practices and poor market targeting (do not ever, I repeat do not EVER, try to make money directly supporting end users). MySQL AB, Best Practical, Trolltech, &c seem to be doing pretty well though....

    --
    "Nothing was broken, and it's been fixed." -- Jon Carroll
  8. Check the license first by gelfling · · Score: 3, Insightful

    If I recally the openSSH license had some really weird language in it that amounted to "There is a lot of code in this tool. I'm not sure of everything and there may very well be something in here that belongs to someone else. So if they come after you Mr. MegaCorp, don't ask me. It's not my problem."

    And that is a bigger problem for our lawyers then the efficacy of the tool itself.

    Otherwise, why must it be an either/or decision? Why can't you have a mix of open and commercial and achieve a balance of cost and effectiveness?

    Also consider the total lifecycle costs. A $30,000 appliance out of the box may be cheaper than an open source tool running on an 'extra' server you have laying around plus 250 hours/year of your time fucking with it. Sometime the best security is the security that makes the most rational sense for you to afford.