Federal agencies, looking for new ways to lower their IT costs, are exploiting open-source software tools in a wider range of applications, not only to reduce software costs, but also to tighten network security, streamline operations, and reduce expenses in vetting applications and services.
The Department of Homeland Security typifies the widening embrace of open-source software. The main reason has to do with saving money, says Greg Capella, DHS deputy executive director, Enterprise System Development Office, Chief Information Officer. The department is applying open-source code internally, not only for its IT infrastructure, but also for mobile applications, he said during the Red Hat Government Symposium in Washington, Nov. 6.
One open-source pilot, called “Car Wash,” is a platform to test the integration of mobile device applications. Capella notes that the pilot will extend beyond the DHS and soon be made available across the federal government. The system has already been presented to the federal CIO Council.
Agencies wishing to deploy Android or iOS-based devices can use Car Wash to look for preferred coding practices in applications and for security holes. “It gives you everything from coding best-practices… to security, [section] 508, and other compliance checks,” he said. The system will test and provide feedback, for instance, about how well the product’s developers have coded an application.
Efforts like Car Wash are one of the ways that the DHS wants to refine how it uses open-source software, Capella explained. The practices used in the pilot program build on open-source software’s strengths as a community-developed product that tends to catch the introduction of security holes while adding capabilities quickly to foundational software, he said.
The DHS is also focused on expanding its cloud capabilities using open-source software. That can be challenging because agencies within DHS often don’t want to compromise on features, Capella said. That’s changing, however, as budgets tighten. “We’re seeing more people willing to compromise and starting to embrace these 80 percent solutions as opposed to solutions that push the envelope.”
[ Find out how to streamline cloud security approvals. Read: FedRAMP Director Discusses Cloud Security Innovation ]
The expanded use of open-source software to streamline capabilities and improve operations can also be seen in the intelligence community, in particular at the National Security Agency.
There is a large amount of duplication involved in information assurance, explains Jeff Blank, a technology and systems analysis/network components director with the NSA’s Information Assurance branch. Much of that duplication is the result of multiple checklists required for vendors’ products at varying security and authorization levels.
Blank is now trying to reduce that duplication by conducting due diligence once with a vendor offering multiple products. Working with Red Hat, NSA set up a project called the Security Content Automation Protocol (SCAP) Security Guide in 2011. It is a hosted catalogue of key security settings for a range of software products such as enterprise Linux. The SCAP Guide also plugs into and cross references products with other security catalogues, such as DISA’s CCI List. He noted that the goal was to allow different enterprise consumers to use security profiles as a guide to selecting the products they needed.
Blank described the SCAP Guide program as a success, noting that it will help reduce the costs of security due diligence in the intelligence community. He also praised the quality benefits of open-source software that result from users working in shared environments and gaining feedback -- a big change from the days of proprietary software. “When [software] is done behind closed doors, you don’t always get the best results,” he said.