“Vendors are increasingly including open-source components in
their commercial products. What impact does this trend have on
product security?”
“Almost no one can afford to build their own new products from
scratch anymore, and the problem is magnified for vendors of
network appliances: They’ve got to deliver a functional,
competitively priced server, including software and hardware, while
still turning a profit. Vendors of other products, from operating
systems to software suites to end-user workstations, are feeling
the pinch as well.”
“Considering this environment, it’s not surprising to find
vendors increasingly turning to open-source code when creating new
products. Yet buyers may not always be aware that inside their
shiny new firewall lurks an open-source OS, such as Linux or
FreeBSD. Network security appliances designed to do firewalling,
intrusion detection and other security functions often rely
extensively on open-source OSes and utilities. But many other
products include open-source components as well. Apple’s new
Macintosh OS X, for instance, is based on Free BSD 3.2 and the Mach
3.0 project from Carnegie Mellon University. Apache, BIND, Sendmail
and Perl are all widely used in both commercial and non-commercial
products.”
“Among the obvious reasons developers turn to open source are
cost and security. Clearly, vendors can keep their costs down when
they don’t have to build their own components or buy licenses for
commercial components. Why build a Web server when you can use the
best one around-Apache-for nothing? Why build your own OS when you
can use FreeBSD? Why not include open-source security utilities
with a commercial security product?”