Open Source software is usually developed in an open, collaborative manner. The software is typically free, and users are able to use, change, improve, or share it. However, three considerations about Open Source software don’t bode well for use with VM:
- Questionable code. Open Source code is developed by the public, and you can’t be assured of its quality like you can with a commercial vendor. A reputable vendor follows industry standard processes for software code assurance and security, and submits the code to scrutiny by independent testers and validation regimes such as those used for FIPS (Federal Information Processing Standards) or Common Criteria.The issue of implementing untested Open Source mod- ules of code into any software application also poses the risk of non-robustness after the application is deployed into an enterprise’s production environment. And there’s a risk of inadvertently integrating vulnerabilities into the VM system via the untested module. In fact, many instances of modules (or vulnerability checks) have provided false positive and false negative results. Some checks have even disabled systems. If you use Open Source solutions for VM, proceed at your own risk!
- Open Source software may be free but it’s not inexpensive. Open Source software carries the same operational costs as commercial software. Be ready to pay for equipment space, rack and air conditioning, system administration, deployment and configuration, maintenance and patching (if and when they arrive from community developers), backup and restore, redundancy, failover and uninterrupted power, audit logs, provision for VM application security and maintenance, capacity planning, and event monitoring. The list goes on!
- Training and support is skimpy. Your security staff must know how to operate tools and capabilities of VM – and how to quickly eradicate vulnerabilities found on the network. With Open Source software, it’s rare to find packaged training and support information together from Open Source forums on the Internet. While many experts collaborate on sharing their tips, it helps to know the people who program the software because they’re often the only source of information – especially for Open Source modules or plug-ins that may not work as described. When you rely on Open Source for VM, gurus are essential for handling technical aspects of the job.