[TCMUG] Fwd: [fws-gis] DOD moves to consolidate investment in FOSS

Huberty, Brian brian_huberty at fws.gov
Fri Nov 17 10:18:06 PST 2017 

this may be of interest to TCMUG
---------- Forwarded message ----------
From: Van Dyke, Daryl <daryl_van_dyke at fws.gov>
Date: Tue, Nov 14, 2017 at 5:35 PM
Subject: [fws-gis] DOD moves to consolidate investment in FOSS
To: fws-gis gis <fws-gis at lists.fws.gov>


***************************************************************************
Reply to this list by replying to fws-gis.
[Do not include cc's or bcc's.  These people are subscribed.]
Alternatively, you can reply directly to the poster of this
message by using his/her email address.
***************************************************************************


Hi All-

You may have read, the DOD is setting explicit goals to migrate to FOSS
(Free and Open-Source) software.  They have released this very thoughtful
FAQ on the subject <http://dodcio.defense.gov/Open-Source-Software-FAQ>.

While cost-savings are part of the justification, the primary reasons
identified are increased security through code transparency and frequency
of updates.  The exact language is given below.

I thought we should recognize the groundwork being set by the DOD, NSA, and
other organizations in Federal service to increase the value and security
of our actions for our trust resources.

Daryl



Q: Doesn't hiding source code automatically make software more secure?

No. Indeed, vulnerability databases such as CVE make it clear that merely
hiding source code does not counter attacks:

   - Dynamic attacks (e.g., generating input patterns to probe for
   vulnerabilities and then sending that data to the program to execute)
don’t
   need source or binary. Observing the output from inputs is often
sufficient
   for attack.
   - Static attacks (e.g., analyzing the code instead of its execution) can
   use pattern-matches against binaries - source code is not needed for them
   either.
   - Even if source code is necessary (e.g., for source code analyzers),
   adequate source code can often be regenerated by disassemblers and
   decompilers sufficiently to search for vulnerabilities. Such source code
   may not be adequate to cost-effectively *maintain* the software, but
   attackers need not maintain software.
   - Even when the original source is necessary for in-depth analysis,
   making source code available to the public significantly aids defenders
and
   not just attackers. Continuous and broad peer-review, enabled by publicly
   available source code, improves software reliability and security through
   the identification and elimination of defects that might otherwise go
   unrecognized by the core development team. Conversely, where source code
is
   hidden from the public, attackers can attack the software anyway as
   described above.  In addition, an attacker can often acquire the original
   source code from suppliers anyway (either because the supplier
voluntarily
   provides it, or via attacks against the supplier); in such cases, if only
   the attacker has the source code, the attacker ends up with another
   advantage.

Hiding source code *does* inhibit the ability of third parties to respond
to vulnerabilities (because changing software is more difficult without the
source code), but this is obviously *not* a security advantage. In general,
“Security by Obscurity” is widely denigrated.

This does *not* mean that the DoD will reject using proprietary COTS
products. There are valid business reasons, unrelated to security, that may
lead a commercial company selling proprietary software to choose to hide
source code (e.g., to reduce the risk of copyright infringement or the
revelation of trade secrets).  What it does mean, however, is that the DoD
will not reject consideration of a COTS product merely because it is OSS.
Some OSS is very secure, while others are not; some proprietary software is
very secure, while others are not. Each product must be examined on its own
merits.



--
_________________________________________
Daryl Van Dyke
GIS Analyst
Klamath Strategic Habitat Conservation Team
US Fish & Wildlife Service - AFWO, R8
(707) 825-5153
https://github.com/GeospatialDaryl

****************************************************************************
To get general information about this list send e-mail to
fws-gis-request at lists.fws.gov with 'faq' in the subject line.
There is also on-line help with the commands.  Go to
https://www.fws.gov/lists/listinfo/fws-gis
To unsubscribe, send e-mail to fws-gis-request at lists.fws.gov with
'unsubscribe' in the subject line.
****************************************************************************



-- 
*Brian Huberty*
U.S. Fish & Wildlife Service, Ecological Services
Upper Midwest - Great Lakes Region
5600 American Blvd W, Suite 990
Bloomington, MN  55437

*(612) 713-5332 Office*
(612) 308-7306 Cell
*brian_huberty at fws.gov <brian_huberty at fws.gov>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/tcmug/attachments/20171117/dba672ea/attachment.html>

More information about the Tcmug mailing list