June 22, 2009 at 9:36 pm #74380
June 23, 2009 at 12:38 am #74421
I agree with the intent of this article. I am not sure if there is the political will to use Open Source Apps. In education, more people are willing to use these resources than other governmental entities. It would save plenty of money that could get used for other materials
June 23, 2009 at 5:24 am #74419
I think open source requires some strong support and policies from OMB and procurement. I’ve run into problems in many agencies that have simply stated that they do not do open source. And I think it is simply because right now it is harder for a government agency to do open source. Too many questions of Why? and not Why Not? Plus budget and cost considerations are felt differently in government than private sector.
I was actually talking to Andrea Di Maio of Gartner the other day and he was saying that while there have been some success in Open Source in Europe, it didn’t take off like the tidal wave people thought in 2003-4.
But I’m hopeful for open source and I see the beginning of some changes. For example, the Intelink tools such as Intellipedia and it’s bookmark-sharing and other tools are primarily open source technologies.
June 23, 2009 at 1:52 pm #74417
Have worked at 2 agencies in the last 10 years that would go somewhat ballistic if the phrase Open Source was ever used in a planning session. The mind set at these two agencies was: “Open Source is written by hackers and we don’t want to take the risk of causing damage to our system(s)“. I am NOT aware of any argument which was but forward which changed the minds of the people who managed IT
June 23, 2009 at 7:56 pm #74415
I think sometimes we try to judge opensource as a whole. There are many agencies will specifc open source solutions in place such as Apache, Bugzilla,and so forth. While in use, I doubt there is any formal policy related to open souce as a whole.
June 24, 2009 at 10:17 am #74413
Cindy Lou BakerParticipant
I’m really excited about open source programs. I can’t wait for the new generation to move in and crank things up a bit! They’ll have those security issues fixed in minutes. With open source, creating new policies and directives and then testing the systems will probably be what takes up most of the cost in the future. I guess it depends on which agencies are willing to try them and which ones require super security. Of course, the latter, i.e., NSA, FBI, etc. would have to have additional guarantees of that security possibly involving biometric ids (retina scans, voice recognition) or something similar. Nice article Bill. cb
June 24, 2009 at 9:44 pm #74411
“They’ll have those security issues fixed in minutes.”
Statements like this used to make me weep……..now they just make me giggle.
June 25, 2009 at 3:42 am #74409
Yeah, at the bottom of any list of arguments for using Open Source should be “those security holes will be fixed in minutes”, fixes are more likely when the code is transparent but nothing’s guaranteed. Closer to the top would be cost savings, but the top really would be the flexibility and reusability you get out of the freedom inherent in the licensing.
Turns out Open Source is being used pretty extensively in the Federal government, but only where the gov contractors are leading with it in response to RFPs. That’ll happen more and more over time as contractors realize that such software is ideal for their services business. But there are a couple of projects – The NSA’s SELinux project for instance – where government seems to be specifically funding the development of open source projects. Another is the HHS ONC’s “CONNECT” project, an Open Source implementation of the various medical data sharing standards, with the goal of accelerating adoption of the NHIN. (http://connectopensource.org/). A conference next week here in DC has 1200 people showing up to learn more about it. (Disclosure, I’ll be speaking at it!)
June 25, 2009 at 12:51 pm #74407
One of the most important benefits of open source is the ability to maintain systems after corporate support is dropped. When you have the source code to your software, you control it. Open standards such as the OASIS OpenDocument/ISO/IEC 26300 file format (used by Open Office) ensure that access to public documents stored in that format won’t be lost because the version of the word processor used to create the documents is unsupported.
Another benefit is the ability to fix bugs quickly instead of waiting for the vendor to fix them. It is of great benefit to be able to support software you didn’t write. It is also a great benefit to be able to add (or remove) features of the software you use. Note that open source doesn’t necessarily mean free software, although open source software is often free. It just means that you get the source code instead of only the binary version of the code. There is no compelling reason why Microsoft, for example, couldn’t offer their products as open source.
June 25, 2009 at 5:32 pm #74405
One of the interesting things you can see in my blog, is that the data on the National Vulnerability Database that DHS operates supports the fact that commercial open source products have had a much lower number of security exploits than proprietary products over the same period of time.
Over the past few months I have been detailing the 6 top reason’s I see the government moving to open source, http://blogs.sun.com/BVass/
The number one reason is better security. You can see the data from the NVD in my blog, they have used that data to assign a security risk factor for using a specific piece of software. That risk takes into account the number of distributions ( removing the old FUD about “we only get attacked more because we have more copies out there”), and normalizes it with the risk, number of exploits, and severity of the exploits. The lower the number, the more secure the product is.
See the “#1 reason to move to open source: better security”, section of my blog to see all the data and why open source products tend to be more secure than their proprietary equivenents
June 25, 2009 at 5:38 pm #74403
This is another great point I have covered in my blog (Reason #3 the Government is moving to open source)
Lots of time the life of government programs exceed the service life of most IT products, since the code is in the public domain, service can be provided beyond the end of service life of a product or vendor by third parties. This keeps the government from being locked in forever and held hostage by a vendor
June 25, 2009 at 5:39 pm #74401
Open source is not a silver bullet, but it has proven to be more secure over the lifetime of most products
June 25, 2009 at 5:42 pm #74399
I believe there needs to be a formal set of polices in place around open source, just like there is around networks or any other technology. Open source needs to be embraced and managed, just like we did with the Internet.
June 25, 2009 at 5:50 pm #74397
I hate to keep pushing everyone to my blog, but go take a look. There are a lot of security advantages to open source, with statics to back up the fact that open source tends to be MORE secure: (See the April posting” #1 reason to move to open source
In addition, lots of people don’t seem to understand that many of the products they use every day already are open source or have huge amounts of open source code in them.
From example, last year I was with a CIO of a major agency, and he said “We have banned all open source software here”. When I pointed out that all his major ERP and web sites run on Solaris (because we sold it to him and support it for him), and that Solaris has been open source for the last 7 years, I could see the color drain from his face.
Then I pointed at his Blackberry, which is all Java based and said ” And your phone is all Java, which is also all open source!” So, the reality was, he was using open source all over the place!
We need to understand, embrace, and manage open source across the Federal Government
June 25, 2009 at 5:53 pm #74395
We are starting to see it everyplace… but Open Source needs to be embraced and managed consistently throughout the Federal Government just like any other technology
June 25, 2009 at 8:31 pm #74393
Agencies need to work cooperatively and openly with commercial organizations on standards development when it can be shown to be cost effective. By adopting open source methods, Government agencies alter the way they can jointly develop standards with commercial enterprises. The benefits open source methods bring to the Government are lowering development costs and greater efficiency, plus the systems that share the same base technology (ex. Wireless technologies, cell phones, DVDs) will be able to communicate better with each other, saving future cost.
However, open source development programs should not be restricted to creating software. Bio-technology can also benefit greatly from open source standards. The NIH, CDC, NASA, DHS, and DoD all conduct bio-tech research. What if they jointly developed standards (openly) with commercial and non-profit organizations necessary in the future development of new or improved medicines, or chem-bio-detection equipment? Does anyone know how much cooperation is being shared in C4IRS technology? Every DoD organization seems to be designing their own proprietary system, along with the Coast Guard designing for its own system and DHS working with first responders on a system. C4IRS is a perfect candidate to have its source code developed using open source methodologies.
Open source methodologies are also important in development of knowledge databases such as Wikipedia. Imagine all of our acquisition rules, regulations, and procedures posted within a Wiki similar to Wikipedia, developed and updated by volunteer editors in the same manner as Wikipedia. Every regulation linked to its originating law, corresponding procedure, news links, and best practices. Considering the growth and complexity of the FAR and DFAR, this action could annually save Government employees thousands of hours of work, and the Government millions of dollars.
Open source need not be restricted to software development. There are plenty of opportunities for open source methods to be used by Government agencies to work cooperatively with commercial and non-profit organizations where security is not a concern.
June 25, 2009 at 9:46 pm #74390
This is a quote from the same people that produced the report you garnered your vulneralbility charts from.
“What you see is that open source and proprietary software both have issues. The risk seems to directly correlate with the complexity of the software type. Operating systems are inherently very complex, and always are very high on reported vulnerabilities. Notice that regardless of the license type, the level of relative risk is comparable by software type. What this seems to indicate is that complex software takes diligent effort to write, debug, and manage in an operational environment, regardless of the licensing that the software is distributed under.”
I’ve also attached their chart with the top 25 vulnerable software.
June 26, 2009 at 3:52 pm #74388
I could not agree more, the government needs to create incentives for reuse and open source development across different agencies. DISA is already trying to set something like this up by creating and managing a central SourceForge collab site for all of DoD to share and contribute to. There are also a number of contracts GSA is working on as well.
However, one of the most important things that needs to change is there needs to be a change in how the government does contracting to provide an incentive to reuse, and an incentive to contribute. Right now, the individual agencies are incentives are to build everything from scratch and share nothing, and this in reinforced by the fact that the Systems Integrators make more money if they reinvent the wheel over and over again.
Using the open source methodology to provide a framework for collaborative development is the right way to go, but it will need an additional push / change in contacting to get the integration and savings the government is looking for
June 26, 2009 at 4:01 pm #74386
This is correct, the more complex the SW, the greater the risk
However, the comparison I was making was related to “like” functionality. For example, Open Office vs. MS Office. According to the last PC Mag study, “Open Office has 98% the safe functionality as MS Office”.
So you could say that they are functionally the same and have about the same level of complexity. AND, they both have a LARGE user base. There are over 220 million Open Office users, and some where around 550 million MS Office users. Neither is a small number.
However, based on the data on the NVD, and the risk analysis, MS Office is about 10x less secure than Open Office.
And that trend continues across all “Like” products. Java is much more secure than ActiveX/.Net, Xen is more secure than VMWare, Solaris and Linux are more secure than Windows, and so on….
June 28, 2009 at 3:07 am #74384
Cindy Lou BakerParticipant
I think the reason the powers that be don’t want to go full open source is all about the money. I’m sorry but I’ve seen some “government implementations” such as an IBM system for the Forest Service that took over 8 years! By the time we got access, it was already ancient. Pretty poor project management or ?
June 29, 2009 at 2:14 pm #74382
Unfortunately, Moving to open source will not solve poor project management. It can however, save billions across the Fed if used correctly. And, as many have pointed out in this discussion, using the open source methodology as a method to foster reuse and collaboration can also improve project management / delivery of large systems.
You must be logged in to reply to this topic.