Migrating from Closed Source Software to OSS – Security Issues and Challenges

International Journal of Intelligent Computing Research (IJICR), Volume 5, Issue 4, December 2014

Olusegun Ajigini UNISA, South Africa

Abstract

Open source software (OSS) allows users and is accepted and used by the mainstream software developers to, amongst others, study, modify and users [18]. redistribute the source code. At the other end of the The issue of the security of OSS was highlighted spectrum, closed source software (CSS – the by two events, namely, a report released by Fortify antonym of OSS) disallows users and developers to Software in July 2008, claiming that necessary access and modify any source code. This paper standards were not achieved by OSS developers, and presents an overview of the migration from closed that Linux kernel developers had covered up security source systems (CSS) to open source systems (OSS) vulnerabilities [34] [40]. It was recommended in this with respect to Security Issues and Challenges. The report that OSS should be viewed warily due to paper proposes a Model to address such challenges. alleged high risks involved by government and The various OSS initiatives undergone by different commercial organisations. The report further national governments are highlighted. A comparison recommended the conducting of risk analyses and of OSS security and CSS security aspects, and an code reviews on any OSS code running in business- overview of security challenges during migrations to critical applications. OSS are presented. On the strength of these According to Manfield-Devine, the US comparisons, and using summative content analysis, Department of Homeland Security as part of the US a model to address security challenges during Government’s Open Source Hardening Project, migrations to OSS is proposed. The model is backed Coverity Software to investigate security developed through enhancements of previous models issues affecting OSS products, and they came up aimed at addressing security threats and protecting with a report that disagreed with the Fortify findings sensitive information during system migrations. [34] [39]. Coverity Software analyzed 55 million lines of code across 250 (amongst other Linux and Apache) projects and concluded that OSS quality and 1. Introduction security are improving. OSS should be evaluated from a security The perpetual rise of Open Source Software perspective to ascertain the level of security (OSS) has been a feature of the software industry robustness or potential exposure to threats [3]. They during the past ten years [31]. Subsequently, there also stressed that the increasing use of OSS may pose has been an increasing interest in the open source several security challenges to organisations. movement as a new paradigm for software In this paper we propose a model to address a development in recent years [46]. One such example number of security challenges during the migration is the South African Government who has been in from CSS to OSS. Our model is constructed from the the vanguard of using OSS since 2001 by adopting Aner and Cid framework proposed and part of the policy recommendations in 2003 [35]. rudimentary framework to protect sensitive The gradual proliferation of articles and reports in information during system migrations [1] [3]. the mainstream media spearheaded evidence for an The layout of the paper follows: In the early increased awareness of, and interest in open source sections, we consider some definitions of closed [56]. This is also the view of Hoepman that there are source software (CSS) and open source software many publications on OSS advantages and (OSS). We also highlight the history of OSS, OSS disadvantages [25]. It is estimated that at least 80% initiatives, OSS projects and OSS Migrations. This is of all commercial software solutions would have had followed by a comparison of the possible benefits of substantive open source components by 2012 [15]. OSS over CSS. In a similar vein, the second to the A recent study conducted by the International last section considers and compares security aspects Data Corporation (IDC) indicates that the OSS in both CSS and OSS. The last section presents an market will grow at an annual rate of 22.4% and overview of some security challenges in migrating would reach US$8.1 billion in 2013 [28]. However, from a closed source to an open source environment, it has been pointed out by Gwebu that low followed by our model aimed at addressing some of acceptance rates of OSS continue to reduce its share these challenges. The paper concludes with of the market [18]. In later work, it is emphasised references to future work in this area. that OSS benefits would not be fully realised until it

2. What is Open Source Software? 3. What is Closed Source Software (CSS)? Open source is described as software of which the source code is distributed along with the executable Closed source software (CSS) is a term invented program [20]. Such software is free to use and it as an antonym for OSS and is used to refer to any includes a license allowing users and developers to program whose licensing terms do not qualify as modify and redistribute the software. OSS refers to OSS. This implies that a user will have the binary any software that is distributed under OSS licensing version of the software that they are licensed to, formats [19] [59]. without any copy of the program’s source code. A Open source code is accessible to the users and user of closed source software cannot render such code may be enhanced for added functionality modifications to the software. CSS is based on the [59]. Possible errors in the code can be corrected and assumption that software development is a highly overall improvements to the source code can be specialised process that is managed by a team of done. Open source is a term of art which is the specialised developers and best practices project opposite of closed source in the sense of having its management, all of which result in new releases and source code freely available for anyone to make enhancements from time to time [46]. enhancements or correct errors [43]. In this paper, we define closed source software A comprehensive definition of open source (CSS) as software that users cannot render software is defined by the Open Source Definition modifications to and can be free or paid for as (OSD) and they list eight requirements of OSS as: (a) illustrated in Table 1. An example of closed source Free Redistribution, (b) Source Code availability, (c) software that is free as shown in Table 1 is the Derived Works, (d) Integrity of the author’s source Internet Explorer which can (e.g.) be downloaded code, (e) No Discrimination against Persons or from the Internet. Groups, (f) No Discrimination Against Fields of Endeavor, (g) License Must Not Restrict Other 4. History of OSS Software, (h) License must be Technology-Neutral. There are many classifications of open source and The foundation of the OSS movement can be closed source in the literature [19] [20] [59]. In this traced back to the US academia of the 1960s, when paper, we define open source software as software of there was a cultural attitude of opposition to the which the source code is distributed along with the restrictive nature of exclusive rights under executable program, having the right of intellectual property laws [31]. Richard Stallman, an redistribution, open standards, free to use, but could ex-MIT academic launched the Free Software be paid for (e.g. paying for the medium on which Foundation (FSF) in 1985, which is dedicated to the such software is distributed) as illustrated in Table 1. development of free software as a non-profit body In Table 1, our definition for open source covers [31]. both Quadrants A and C. Examples of open source Richard Stallman is considered to be the founder and closed source programs are listed in each of the of the open source movement because he holds very four quadrants. For example, Ubuntu Linux is a free, strong philosophical beliefs that all users of open source program in Quadrant A, while MS computers should have the freedom to enhance any Office is closed source software that is paid for and software in order to support their needs and also to resides in Quadrant D. share software [43]. He started to write the GNU

software (an acronym for ‘GNU’s Not Unix). He Table 1. Classification of Open and Closed also developed a licencing system for GNU software Source Software called ‘copyleft’. The FSF was set up to further the development of the GNU software [43]. Closed source The FSF freedom philosophy is openly anti- Open source software software business and this concept was promoted to a wider Quadrant B e.g. business community in 1997 by a group of free Quadrant A e.g. Free Internet Explorer, software community leaders [43]. This group came Ubuntu Linux, Apache Adobe Acrobat Reader up with the name ‘open source’ and they came up Quadrant D e.g. MS with a definition to provide the requirements for Paid Quadrant C e.g. Red Office, MS Windows open source software. This is the group that created For Hat, MySQL operating systems the Open Source Institute (OSI) that manages the Open Source Definition (OSD). According to Kemp, the FSF oversaw the GNU project, which was a mass collaboration, to create a free full operating system that will replace the UNIX system under the GPL – the GNU General Public

Licence (GPL) [31]. In 1992, the operating system encouraged the use of FOSS in the SA Government kernel (known as GNU Hurd) had not been [63]. completed, though all the other necessary A FOSS policy was approved by the South components had been completed. The GNU software African Cabinet in 2007, stipulating that all future was combined with Linux in 1992 (a new kernel) to software should be based upon open standards and have a complete operating system, a combination encouraged the migration of current government known as GNU/Linux and licensed under the GPL. software to FOSS [16] [63]. The State Information Linus Torvalds, a 21-year-old Finn and a Technology Agency (SITA) with the Council for computer scientist at Helsinki University, developed Scientific and industrial Research (CSIR) established Linux, which was firstly publicly released in a project office (FOSS Programme Office) that will September 1991 [43] [31]. The name ‘Linux’ is oversee the implementation of this policy [63]. derived from his first name and ‘UNIX’. Linux is Despite these decisions of government, FOSS freely available over the Internet and suggestions for adoption has not met its targets [63]. enhancing the system are requested from the public. The South African government started Linux is being used and adopted commercially by implementing FOSS within its departments since many computer manufacturers and it is a competitor 2006 and has a target of 60% for back-end servers for the Microsoft Windows operating system – a running FOSS [60]. However, the results of a survey closed system [43]. conducted from November 2007 to March 2008 According to Kemp, the Open Source Initiative suggest that FOSS is not yet widely used within the (OSI) was established by Eric Raymond and Bruce South African government [63]. They conclude that Perens in 1998 to promote OSS on pragmatic FOSS implementations in the SA government are grounds [31]. Part of the function of the OSI is to rather few. review and approve licences conforming to the Open The South African government is still using Source Definition (OSD) which was carved out from FOSS in the development of their software systems. the OSI (Open Source Initiative). The OSD has ten For example, FOSS components are used to develop requirements that must be adhered to before software the Integrated Financial Management System can be allowed to be classified as open source. (IFMS). This was done to lower the cost of supporting the software (e.g. license costs) and also 5. OSS Initiatives to improve on the quality and productivity of the IFMS software. FOSS is being used by South This section describes various OSS initiatives African government departments and many FOSS undergone by different national governments (South migrations have been performed by government African and foreign governments). The use of OSS departments. gained momentum in the last decade in both public and private organisations [62]. Internationally, 5.2. Foreign Government Initiatives governments see OSS as a tool that can assist them in enhancing affordable service delivery due to its This section outlines some of the various foreign low cost of implementation and maintenance [37]. government initiatives on the adoption and However, Oram reiterates that procuring OSS has implementation of FOSS in their organisations. proven difficult in governments and it is difficult to i. Indian Government: The Indian get information on government usage of OSS [41]. Government supports the use of FOSS Some studies have shown that OSS has a and has clear policies in this regard [35]. tendency to be cheaper on cost but more expensive India has implemented many projects in on consultation and maintenance [9] [14] [21] [37] support of FOSS adoption [51]. FOSS [44]. The close to zero license costs of OSS does not implementations have been carried out in necessarily translate to lower costs [50]. many countries, e.g. China, Pakistan, and the South Americas [23] [45] [64]. 5.1. South African Government Initiatives ii. Malaysian Government: The Malaysian government provided comprehensive The South African Government has strongly implementation guidelines for FOSS expressed the desire to use FOSS since 2001 [35]. adoption and approximately 128 The South African cabinet accepted two FOSS Malaysian state agencies migrated policy submissions, one by the National Advisory desktop users to FOSS by March 2008 as Council on Innovation (NACI) in 2002 and the other detailed in the Malaysian Public Sector by the Department of Arts and Culture, Science and Open Source Software Master Plan [57] Technology in 2003 [63]. The Government IT [58]. Officers (GITO) Council FOSS Working Group iii. Brazilian Government: The Brazilian compiled the 2003 FOSS policy for government government also implemented and (Cabinet Memorandum No. 29 of 2003) and this adopted FOSS, and has a large number

of FOSS developers and contributors Guaclalinux, Guadainfo, Linkat, Council [27] [36]. According to SERPRO, almost of Zaragoza and MAX. 60% of state departments in Brazil were using FOSS in 2005 [49]. A group of Many foreign governments migrated to FOSS in Brazilian proponents of social change order to lower the cost of supporting the software joined the FOSS communities and (e.g. license costs) and also to enhance the quality accelerated FOSS adoption by many and productivity of their systems. Protecting Brazilian Government Agencies during sensitive information during migrations is a way of the earlier part of the Lula improving the quality of a software system and the Administration [52]. The competence of research reported on in this paper may well assist IT professionals’ impacts on the foreign governments to improve on the quality and Brazilian FOSS adoption and the use of productivity of their software migrations with the FOSS in Brazil have sky-rocketed understanding of the security issues and challenges because many Brazilian educated during such migrations. professionals are committed to FOSS. iv. German Government: The German 6. Most Popular OSS Projects government also implemented many FOSS projects: migration from MS The emergence of open source software (OSS) is Exchange 5.5 to KOLAB, migration of a recent major development in Information 14000 Windows desktop and laptop Technology [6]. They point out that the commonly computers by the Munich Municipality used OSS products are MySQL database, Apache in 2004 to Linux and OpenOffice.org, web server, the Firefox web browser, the Linux migration of 10,000 desktop machines operating system, the Openoffice office suite and the by the German Foreign Office to FOSS DRUPAL content management system. They across 300 sites in 2007 [33] [38] [42]. maintain that the business value that OSS brings to The central administration of Germany organizations include tangibles such as cost savings signed an agreement with IBM to supply and reliability as well as intangibles such as FOSS products based on Linux at a innovation and flexibility. Software innovation has reduced price [37]. been democratized by OSS [2]; however, there are v. US Government: The US Government doubts whether this innovation can be used in launched its recovery .gov Website business applications where the end users are not the known as Drupal and it was based on an individual developers. Open Source Content Management Table 2 provides short descriptions of some System [48]. important OSS projects cited by different authors. vi. British Government: The British government adopted a policy on FOSS in Table 2. Examples of Important OSS projects 2002 [37]. The objectives of this policy OSS Project include the use of products based on Author Projects Description open standards, and avoiding problems of over-dependency on a specific Linux Linux is the [46] leading enterprise [31] supplier. The policy enhances the use of server operating FOSS in all publicly funded British system currently [54] organisations (Central Government with more than [6] Departments and their Agencies), local seven million governments, non-departmental public users. institutions, the National Health Service Perl It was designed [46] (NHS) and the educational sector. by Larry Wall. It vii. French Government: France set up the is the software Agency for Information and supporting the Communication Technology (AICTA) in most ‘live 2001 and it facilitates the use of FOSS content’ on the by public agencies [38]. Internet. It is used viii. Spanish Government: The Spanish by more than one million users as at Ministry of Industry, Tourism and Trade 2005. gave financial support for FOSS implementation to various government Python It was designed [46] institutions and autonomous by Guido van Rossum. It is used administrations [4]. Some FOSS to integrate implementations include GNU/Linux, systems more

effectively as a postscript files. scripting or glue It is the open [46] language that Open- Office.O source word [6] connects existing processor, components rg spreadsheet and together. It is used other general- for rapid purpose office application application development and software from Sun utilised by over Microsystems. 325,000 users. It is a content [6] It is a set of high [46] Drupal GNU management Project quality system programming tools from the

Free Software Foundation’s OSS is being developed and used by companies GNU project. like Google, eBay and presently Facebook [34]. This Apache It was originally [46] implies that the distinction between OSS and closed created by Rob [31] software might not be crucial because the OSS McCool in 1995. vendors are now the commercial enterprises. The Currently, it is [54] services support, and guarantees of continued used in over 53% [6] development given by major OSS distributors such (1 million) of as Red Hat are the same as the closed source today’s web servers which is software vendors [34]. more than The same development tools, practices and at Microsoft's IIS at times, the same developers are being used by both 23%. OSS and closed source vendors [34]. Tools and It is the open [46] processes used by OSS vendors include: public bug Mozilla tracking, regression tests, security architecture source version of [31] its popular review, code-scanning (simple pattern matching, or browser product [54] static analysis), systems tests, and penetration Communicator [43] testing. Many closed source software vendors use and it is these tools because they are well known and trusted. Netscape's next- generation web browser. 7. OSS Migrations Nescape produced the first According to Oram, the various successful OSS commercially successful web migrations include: (a) Migration from Microsoft browser called Office to OpenOfice.org and also from Windows Navigator in 1994 Operating System (OS) to Debian GNU/Linux by as closed source Munich; (b) Migration to OSS by a Brazillian software. stratum of educated professionals; (c) Migration to Netscape decided OSS by OSS advocates and civil society to make the organisations and (d) Migration from Microsoft Navigator source Office to OpenOffice.org in mid-2000 by code freely Massachusetts, USA [41]. available under a project known as The factors governing the sustainability of OSS Mozilla in 1998 Migrations have been investigated using a qualitative because the and thematic analysis approach [29]. The work of the Microsoft internet Shuttleworth Foundation has increased the explorer was knowledge and importance of OSS in South Africa made free. in recent years [29]. Several South African Ghost- Ghost-script is a [46] municipalities have migrated to OSS with various script postscript editor levels of success [24]. and and printer. A survey about OSS usage at universities and Ghostview research centres indicates that 60% of servers; 42% Ghostvie enables the w of database systems; 67% of email systems and 87% viewing of of tools for managing contents of universities are

based on OSS [5]. Research on characterising OSS deadlines, projects. migration initiatives has been performed [22]. They and no There is a found that software migrations from proprietary to hierarchical hierarchical open source depend on organisational and contextual team team factors such as the IT resources accessibility, structure in structure in OSS closed organisational climate, organisational complexity, developmen source political support, why the change is needed and the ts. projects – project leadership style. the An overview of OSS migration and criteria for corporate migration challenges has been presented [17]. He world. points out that organisations migrate to OSS from The quality CSS is [12] legacy systems because the legacy systems are Quality of OSS is perceived to [32] difficult to integrate with the newer technologies. perceived to have a [13] The OSS migrations can include: be higher lower  Language or code migrations; than that of quality than  Operating systems migrations; CSS. This is OSS.  Data migrations; because Developers many outside the  User interface migrations; developers closed  Architecture migrations. examine the group

software, cannot 8. Benefits of OSS vs. CSS – A facilitating detect errors Comparison the because the detection of source code

errors. is generally Table 3 is a comparison of the benefits of OSS not publicly and Closed Source Software by different authors. available.

This Table reveals that there are more profound benefits of OSS than for closed source software. [46] Quality of

Table 3. Comparing the Benefits of OSS and CSS CSS could The quality be higher Open Closed of OSS Benefit / than quality Source Source products Characteristi Author of OSS if Software Software should be c there is no (OSS) (CSS) higher than competition for CSS if OSS has The [43] in the Reliability there is increased reliability of [12] market. reliability some closed competition [13] over closed source between

source software is them in the [30] software. lower than market There are formal The reason that of OSS. is that OSS The reason inspections is usually is that CSS conducted critically is produced Generally in CSS examined by a smaller there are no projects as by many number of formal well as independent developers inspections broad and who work in the testing. enthusiastic against tight quality of Rigorous developers deadlines OSS measuremen during all its under much programs t is developmen pressure. and no performed tal stages. broad in CSS testing. imple- There is Due to [30] There is mentations. Sense of little sense stringent Urgency little of urgency deadlines to evidence to in OSS be met, support projects; there is a rigorous there are sense of measuremen little or no urgency of ts in OSS. strict CSS

independent vendor-lock Innovation & OSS has CSS has [12] more less of the in. Flexibility vendor. flexibility flexibility than CSS – than OSS Cost OSS tends Most CSS [12] source code due to its to be free; are not free is publicly code being [13] and have and have a available. closed. [59] low higher acquisition acquisition [46] By Users are [13] cost, except cost than providing not allowed for having OSS. users with to see the to pay for However, in [8] the freedom source code the media some and and this on which situations flexibility, restricts the software closed OSS enables innovation. may be source Total innovation But it distributed Cost of to modify facilitates (e.g. on a Ownership the software the security CD). (TCO) is

without any and lower than

restriction. reliability of that of open the source. software.

They have TCO for targeted [8] closed innovation source and that is The total open source business cost of software ownership focused could may roughly rather than roughly be technology be the same the same. focused. as for some closed Requiremen Requiremen [30] source Software ts are ts are used programs. Requirement mostly in CSS s absent in projects. The use of Closed [30] OSS The Adherence to standards is source projects. Capability Standards limited to projects There is Maturity data formats normally little Model like the adhere to systematic (CMM) is Hypertext most IT effort in well markup standards addressing addressed in language during Capability CSS (HTML), or implementat Maturity projects. the ion. Models Closed Extensible (CMMs). source markup There is projects language also little make use of (XML). evidence of UML or Most OSS Generally, it [59] using the other Usability / requires a Unified modeling Ease of code products offer code much longer Modeling techniques. errors period to Language identification error reporting resolve (UML) or and problem errors in any form of solving tools. These CSS, due to systematic tools assist in the faster non- modeling in availability OSS. detection of errors and of code

There is no CSS is [12] the rapid error Vendor-Lock Vendor- dependent reporting Ins finding of Lock In on the solutions. tools. associated Vendor. [13]

with OSS. Therefore,

The user is there is

Closed tation such documentati OSS usually source [8] as manuals on such as lacks programs do or guides. user not lack manuals, usability [32] because it is usability. guides etc. They developer- This is the CSS [59] centric. employ Personali- degree to developers Ability to expert sation which are usability correct developers generally testing errors is are able to not allowed limited to techniques write to attach users with and applications personalisati usability is technical in the way on to their ranked quite expertise. they want work. higher than the Company in OSS. application standards OSS It is more [59] to look and and policies Operating products are expensive to are used. have to be Systems supported change the OSS adhered to with operating developers and CSS is operating system use designed to systems that source code personali- accommoda surpass the of a CSS. sation a lot te the operating Developme in their generic systems that nt costs are work in software support CSS generally order to market. due to the high. Users change the availability usually have look and of source to wait for a feel of a code which next release product, so can be of the that it can altered. software. integrate Users can seamlessly adapt the with their OSS to their working operating environment systems. . This The cost of enhances such a their diversity of efficiency operating and mood. systems OSS Closed [59] tends to be Service and products source higher in Product come with systems are closed Support many supported source learning by a support systems due materials team and to their high obtainable they usually developmen from the make use of t costs. developer’s printed

Most OSS Most CSS [59] site or other material or Documen- projects locations books which tation projects are weak on produce supporting come at a manual and the OSS cost. document- tation. quality product.

documentati Large on. community of users and

developers Closed support OSS OSS are not [13] source products by legally

bound to programs designing

produce are legally tutorials and document- required to short supply articles on

how the safety- product Closed critical should be software. source [8] used. programs PM Most closed Best- [46] have a high practices are source response practices usually projects use User groups service. Project lacking in best- are available Ongoing Management most OSS practices and support support is projects and project is delivered provided to this could managemen via forums the undermine t techniques, and blogs. customer. the all of which Issues may, Support to product’s enhance a or may not the users of quality. product’s

be resolved CSS is quality. soon. arguably the

greatest advantage Most closed Release [30] of using source CSS. managemen t guidelines projects Is readily It is more [59] are informal follow Plug-in available for difficult to in OSS and release functionality OSS write Plug- there are managemen products. ins for often t guidelines. OSS Closed version developers Source proliferation and users systems and can extend than OSS implement- the because ation issues. functionalit documentati y of their on is not as product by rich as the Discussion of Table 3 using Plug- OSS. The ins to write source code The reliability of some CSS may be lower than their own is also not that of OSS owing to fewer programmers that modules readily develop closed source software, working against tight which can available. deadlines and under a fair amount of pressure [12] be [13] [43]. Closed source software is perceived to have integrated a lower quality and lower flexibility than OSS due to with the the non-availability of the source code [12] [13] [32]. OSS However there are arguments that CSS is of a higher product. quality than OSS, provided that there is no OSS CSS can be [46] competition in the market [30] [46]. Highly Most CSS implementations make use of a programs used specialised are less effectively modeling language like Unified Modeling Language Applications likely to be to develop (UML), as well as incorporating the Capability used to highly Maturity Model (CMM). In contrast, OSS develop specialised implementations usually do not make use of any highly applications. modeling techniques like UML; neither do they use specialised the CMM [30]. applications. The Total Cost of Ownership (TCO) of both OSS Formal [30] and closed source software are roughly the same [8]. specificatio Closed source programs do not lack usability, There is ns are used documentation or service/product support, whereas little in closed OSS programs usually lack usability and evidence source documentation [8] [30]. There is no vendor lock-in that formal projects and specificatio this associated with OSS but closed source software is ns are used enhances characterized by vendor lock-ins [12] [13]. in OSS their use in According to Raghunathan, the comparisons of projects and safety- open source and closed source are not conclusive, or this limits critical in a finer analysis are slightly in favour of open the use of software. source [46]. This is also the view of Khanjani, OSS in namely, that OSS yield more benefits than CSS [32].

More enthusiastic developers are involved in of the OSS test the code developing, testing and evaluating the code of OSS product that in closed programs. they want to systems, the use so as to author 9. Comparing OSS and CSS Security ascertain its stresses that quality and OSS initial security. coding tends The importance of analyzing a whole OSS system to be of a when performing an extensive security investigation higher has been emphasised [20]. Such analyses include the quality than application software, its source code, and the tools CSS. used for developing the object code. Examples are OSS is often CSS is [8] compilers, operating systems, hardware and the Controlled viewed as perceived as whole development environment. Environmen having being more Different authors have different perceptions when t security secure they compared OSS security with that of CSS as Developme issues because it is shown in Table 4. The table reveals that the security nt because developed of OSS is roughly of the same quality as that of a OSS is not in a CSS system. necessarily controlled developed environment in a by a Table 4. Comparing OSS and CSS Security controlled concentrate Characteris OSS CSS environment d team with Author tic security security . a common OSS designs Closed [25] direction. Publishing and source The source of Designs protocols designs and code may be and are protocols viewed and Protocols published are not edited only and these published. by this contribute to team. The the security software is of the comprehens systems. ively This may audited, reveal eliminating logical the risk of errors in the back door security of Trojans and the system. reducing the risk of code It is easier Open and [10] Finding and errors or to find and closed other correcting correct code approaches security software errors in to security issues. vulnerabilit OSS than in are rather y It is The authors [20] CSS owing similar. Closeness or to the Correcting maintained stress that openness of that OSS the security openness errors in software factor. CSS is improves of software code – software is dependent dependent security transparenc on the user on the through y, security and not programmin obscurity g team that and necessarily

developed trustworthin its the program ess because closedness – the source users and or openness.

code is not developers CSS can publicly can validate also be as an OSS secure as available. program's OSS. OSS users Because [34] Checking functionalit have the users do not y and and Testing freedom to have the of code security, validate and choice to due to the test the code validate and availability

of its source faster than vulnerabiliti code. for closed es and this source increases

systems. the risk of using the They highlight system. CSS does [25] that it is easier to not allow correct bugs users of The authors such in OSS Patch claim that it [7] systems software to managemen is easier to thereby evaluate its t is harder to manage enhancing security for patches in a coordinate the quality themselves. in open closed of code. This does source source This could not allow systems system than

also lead to users to because in an open easily the use of OSS comes source better discover in many system. project weaknesses different and managemen versions. t and quality 'patching' is Patches will control. not possible not be Open source by users. available for users can some independent distributions ly evaluate and they the security may be for vulnerable

themselves. to attacks The real while others exposure of are being the system patched. can be assessed and CSS [61] the gap OSS products are between products are less secure perceived more secure than OSS and actual than CSS products. exposure is products. diminished. However, their general Analysis of There are no The [47] pattern of published significant vulnerabilit vulnerabilit

vulnerabiliti differences y severity y detection es in terms of found is similar. vulnerabilit between y severity open source found and closed Discussion of Table 4 between source are open source perceived to Closed source designs and protocols are not and closed be the same. published, whereas the OSS designs and protocols are

source. published enhancing the security of OSS programs

since logical errors may be revealed [25]. This is also

the view of Dwan that due to the openness of OSS

More and code, it is easier to find and correct errors in OSS Patches for faster [25] than in CSS [10]. This is also pointed out by patches can vulnerabiliti Hoepman that more and faster patches are found in be found in es of closed OSS whereas patches are not released as fast in CSS, systems are open source thereby increasing the risk of using the system systems. released securely [25]. weeks or Patches for OSS users have the freedom to validate and test open source months after the the code in order to ascertain its quality and security, systems are therefore OSS initial coding tends to have higher released discovery of the quality and security than CSS [34]. However, Daniel

argues that CSS is perceived to be more secure than auditing (b) Penetration testing, and (c) Using OSS because it is developed in a controlled Statistical analysis tools. environment by a dedicated team of developers with a As per Anner, the threat modelling process common direction [8]. consists of four stages, viz: (i) Application The view of Hansen is that CSS can be as secure Analysis/Diagramming (ii) Threat Enumeration, (iii) as OSS because the security of software is dependent Threat Rating, and (iv) Mitigation Options [3]. They on the user and not on its openness or closedness point out that the threat modeling approach with [20]. The severity of vulnerabilities found between slight modifications can assist with the identification OSS and CSS are similar as pointed [47]. While our of security vulnerabilities, as well as investigating view is that OSS is more secure than CSS, there are, coding issues and implementation mistakes. however, security challenges that have to be overcome when migrating from a closed system to an A Rudimentary Management Framework to open system [17]. protect sensitive information during the migration to an open source system is suggested [1]. The model 10. Security Challenges during Migration we propose in this section for addressing the security challenges discussed in this paper in migrating to to OSS OSS, is based in part on the threat-modeling framework in Anner and the sensitive information A list of items that can be migrated is presented migration framework [1] [3]. by Geetha and these are: (a) Language or code Our model is illustrated in Fig. 1 and is discussed migrations, (b) Operating system migrations, (c) below: Data migrations, (d) User Interface migrations and During the Application Analysis/Diagramming (e) Architecture migrations [17]. He points out that phase (A), the applications are analyzed from a flow the challenges to migration from Legacy systems to of data perspective. All the aspects that make up the OSS include: (i) Qualification and selection of OSS, applications are catalogued and the relationships (ii) Human factors such as: Fear of the new software; between the assets in terms of data exchange are Knowledge is power; Cost of training personnel for identified through a UML Class-oriented structure. the new tools; reduced productivity of the personnel The Threat Enumeration phase (B) consists of and (iii) Technical challenges. The technical analyzing each element in the Class-oriented UML challenges include: Usability; Software Development against a list of potential threats depending on the Service and support; Security; Data migration; and element type using the STRIDE Taxonomy [28]. OSS Code Maintenance and Management [11]. STRIDE is used as a classification schema to According to Geetha and ElHag, the security characterize known threats in accordance to the challenges during migration to OSS are: (a) attacker motivation. Detecting security risks, bugs, and errors, (b) The risk levels for each of the enumerated threats Eliminating the bugs and errors and (c) Obtaining are determined and ratings of all threats are metrics for measuring software security for real-time established during the Threat Rating phase (C). and mission critical software [11] [17].

11. A Model for Addressing the Security Challenges during Migration to OSS

Summative content analysis was used as the research method to explore the model for addressing the security challenges during migration to OSS. During summative content analysis, the keywords (derived from review of literature) are identified before and during data analysis [26]. Keywords are extracted from the literature and mostly from the two articles written by Anner and Ajigini [1] [3]. An open source assessment framework and a threat modelling methodology, pioneered by Microsoft since 1999 have been highlighted, this is then proposed by Anner to overcome the security challenges of OSS [3] [53]. The aim is to reduce the risks to confidentiality, integrity and availability and to identify and reduce threats, vulnerabilities and risks to an acceptable level. They mention that Figure 1. Modelling security challenges during alternative methods to reduce risks include: (a) Code OSS migration

c) Redesign other security controls. During the Mitigation Options phase (D), all Phase E: Data Categorisation Phase – functionality and patching are removed and other security controls are added and redesigned. a) Develop business rules. The business rules and the data classification b) Develop a Data classification system. system are used to classify migrated data during the c) Classify data based on business rules and the Data Categorisation phase (E). above data classification system. Data protection tools and Privacy enhanced Phase F: Data Encryption Phase – technologies are used to encrypt the data during the Data Encryption phase (F). a) Deploy Data Protection Tools. The encrypted data is now migrated during the b) Deploy Privacy Enhancement Technologies. Data Migration phase (G). c) Use secure Tools to encrypt the data. Implementing the Proposed Model Phase G: Data Migration Phase – The following processes are proposed to a) Ensure that data to be migrated are implement the model in Figure 1: encrypted by using verification techniques. Phase A: Application Analysis/Diagramming Phase – b) Migrate the encrypted data. a) Identify security objectives – user identity protection, privacy and regulation, 12. Conclusions availability guarantees of applications. b) Catalogue all the applications. In this paper we investigated the notions of closed c) Analyse all the application designs and source software (CSS) and open source software architectures to identify the components (OSS); the security issues and challenges of using Data Flows. migrating from CSS to OSS were investigated, we d) Identify UML component diagrams. discussed the respective advantages of each and e) Identify the relationships between the assets considered comprehensively the security aspects using data exchange by using Class-oriented underlying each approach to software development. UML structures. A comparison of the benefits of OSS and closed source software by different authors was explored. Phase B: Threat Enumeration Phase – The comparisons of the benefits of open source and closed source are slightly in favour of open source. a) Analyse each element in the Class-oriented Additionally, a comparison of OSS and CSS security UML diagram against potential threats by was undertaken and our view is that OSS is more using the STRIDE Taxonomy. secure than CSS. b) Analyse data movement across trust Using summative content analysis, the challenges boundaries (e.g. from Internet to Web tier). in migrating from a closed system to an open system c) Identify the features and modules with a were identified, and these, together with two security impact that need to be evaluated. frameworks – one for threat modelling and another d) Investigate how data enters modules, how for protecting sensitive information during system modules validate and process the data, migration were used to propose a model for where the data flows to, how the data is addressing the various security aspects in migrating stored and what fundamental decisions and from an open system to a closed one [1] [3]. Our assumptions are made by the modules. model is based on a seven-phase process as Phase C: Threat Rating Phase – presented in Figure 1. It is anticipated that this model may be useful as a basis for mitigating the security a) Identify threats using Bugtraq tools and challenges in moving from a closed (CSS) to an open techniques. Bugtraq is a mailing list (OSS) system. containing information on how to exploit and use intrusion detection systems vulnerabilities in defending networks. 13. Future Work b) Determine the risk levels of each threat. Future work in this area may be pursued along a c) Establish the ratings of all the threats. number of lines: The framework proposed for d) Use either a threat graph or a structured list protecting sensitive information during system to write out the threats. migration has to be further integrated with the Phase D: Migrations Options Phase – security-protection model proposed in this paper [1]. In particular the classification of sensitive a) Remove the functionality and patching. information in phase 5 – Data Categorisation has to b) Add other security controls. be further developed. Having implemented our

model, we have to validate it in industry at [14] Gallopino, R. (2009) ‘Open Source TCO: Total Cost companies that have migrated to OSS, as well as of Ownership and the Fermat’s Theorem’; those who are yet to undertake such migration. http://robertogaloppininet/2009/01/08/open-source-TCO- total-cost-of-ownership-and-the-Fermats-theorem/(ed.) (21 March, 2012) 14. References [15] Gartner, (2008) Gartner highlights: Key predictions [1] Ajigini, O. A., Van der Poll, J. A. and Kroeze, J. for IT organisations and users in 2008 and beyond. H. (2012) ‘Towards a management framework to protect sensitive information during migrations’, in Proceedings of [16] GCIS, (2007) ‘Cabinet Statement.’ Feb 22; the 2nd International Conference on Design and Modeling www.gcis.gov.za/media/cabinet/2007/070222.htm (2 in Science, Education and Technology (DeMSet), pp. 6-13. February, 2012.

[2] Allen, J. P. (2012) ‘Democratizing business [17] Geetha, S. (2012) ‘Possible challenges of developing software: Small business ecosystems for open source migration projects’, International Journal of Computers & applications’, Communications of the Association for Technology, 3(3), pp. 463 - 465. Information Systems, 130 (28), pp. 483-496. [18] Gwebu, K. L. and Wang, J. (2010) ‘An exploratory [3] Anner, Y. and Cid, C. (2010) Open-Source study of free open source software users’ perceptions’, The security assessment, Royal Holloway Series. Journal of Systems and Software, 83(11), pp. 2287 - 2296.

[4] CENATIC, (2008) ‘Open source software for the [19] Gwebu, K. L. and Wang, J. Wang (2011) ‘Adoption development of the Spanish public administration: An of open source software: The role of social identification’, overview’; www.cenatic.es (7 April, 2011). Decision Support Systems, vol. 51, pp. 220 - 229.

[5] CENATIC, (2009). ‘Study on the situation of [20] Hansen, M., Kohntopp, K. and Pfitzmann, A. open source software in universities and R&D centers’, (2002) ‘The open source approach – opportunities and Report, Almendralejo; www.cenatic.es (7 April, 2011). limitations with respect to security and privacy’, Computers & Security, 21(5), pp. 461 - 471. [6] Chengalur-Smith, I., Nevo, S. and Demertzoglou, P. (2010) ‘An empirical analysis of the [21] Hauge, O., Ayala, C. and Conradi, R. (2010) business value of open source infrastructure technologies’, ‘Adoption of open source software in software-intensive Journal of the Association for Information Systems, organisations – A systematic literature review’, Journal of vol. 11, Special issue, pp. 708 - 729. Information and Software Technology, vol. 52, 1133 – 1154. [7] Clark, R., Dorwin, D. and Nash, R. (2009) ‘Is open source software more secure?’ Homeland Security / [22] Heredero, P., De, C., Berzosa, D. L. and Santos, Cyber Security; R. S. (2010) ‘The implementation of free software in firms, http://www.cs.washington.edu/education/courses/csep590/ an empirical analysis’, The International Journal of Digital 05au/whitepaper_turnin/oss%2810%29.pdf. (2 Accounting research, 10(6). February, 2003). [23] Hedgebeth, D. (2007) ‘Gaining competitive [8] Daniel, J. (2009) ‘Open source vs. closed source advantage in a knowledge-based economy through software: The great debate’; the utilization of open source software’, VINE: The http://www.articlesbase.com/internet-articles/open-source- Journal of Information and Knowledge Management vs-closed-source-software-the-great-debate-1040071.html Systems, 37(3), pp. 284 – 294. (1 February, 2013). [24] Hislop, R. (2004) ‘Mossel Bay adopts Linux on the [9] Drozdik, S. and Kovacs, G. L. (2005) ‘Risk desktop’, Electronic Government Africa, 1(1), pp. 14. Assessment of an open source migration project’, In Proceedings of the First International Conference on Open [25] Hoepman, J. and Jacobs, B. (2007) ‘Increased Source Systems, Geneva, M. Scotto & G. Succi (eds.) pp. security through open source’, Communications of the 246 – 249. ACM, 50(1), pp. 79 - 83.

[10] Dwan, B. (2004) ‘Open source vs. closed’, Network [26] Hsieh, H. and Shannon, S. E. (2005) ‘Three Security, vol. 5, pp. 11-13. approaches to qualitative content analysis’, Qualitative Health Research; [11] ElHag, H. M. A. and Abushama, H. M. (2009) http://qhr.sagepub.com/content/15/9/1277 (19 ‘Migration to OSS: readiness and challenges’. September, 2014).

[12] Fitzgerald, B. (2006) ‘The transformation of open [27] Lewis, J. A. (2007) ‘Government open source source software’, MIS Quarterly, 30(3), pp. 587 - 598. policies’; http://www.csis.org/media/csis/pubs/070820_open_source [13] Gallegoa, M. D., Lunab, P. and Bueno, S. (2008) _policies.pdf, (29 January 2012). ‘User acceptance model of open source software’, Computers in Human Behaviour, 24(5), pp. 2199 - 2216.

[28] Little, G. and Stergiades, E. (2009) Worldwide Open [43] Pearson, H. E. (2000) ‘Open source licenses, Source Services, 2009-2013 Forecast. open source – The death of closed source Systems?’ Computer Law & Security Report, 16(3), pp. 151 - 156. [29] James, S. and Van Belle, J. (2008) ‘Ensuring the long-term success of OSS migration: a South African [44] Poulter, A. (2010) ‘Open source in libraries: an exploratory study’, 6th Conference on Information Science introduction and overview’, Emerald, 59(9), pp. 655 – 661. Technology and Management, New Delhi, India. [45] Rafiq, M. and Ameen, K. (2009) ‘Issues and lessons [30] Kamthan, P. (2007) ‘A perspective on software learned in open source software adoption in Pakistani engineering education with open source’, IGI Global. libraries’, The Electronic Library, vol. 2794, pp. 601 – 610. [31] Kemp, R. (2009) ‘Current developments in open source software’, Computer Law & Security Review, vol. [46] Raghunathan, S., Prasad, A., Mishra, B. K. and 25, pp. 569 - 582. Chang, H. (2005) ‘Open source versus closed source: Software quality in monopoly and competitive markets’, [32] Khanjani, A. and Sulaiman, R. (2011) ‘The IEEE Transactions on Systems, Man and Cybernetics – aspects of choosing open source versus closed source’, Part A: Systems and Humans, 35(6), pp. 903 - 918. IEEE Symposium on Computers & Informatics, pp. 646- 649. [47] Schryen, G. (2009) ‘Security of open source and closed source software: An empirical comparison of [33] Kovacs, G. L., Drozdik, S., Zuliani, P. and Succi, published vulnerabilities’, AMCIS Proceedings, Paper 387. G. (2004) ‘Open source software for the public administration’, In Proceedings of the 6th International [48] Scola, N. (2009) ‘Why the White House’s Workshop on Computer Science and Information embrace of Drupal matters’, Personal Democracy Forum Technologies, Budapest, Hungary. techPresident.

[34] Manfield-Devine, S. (2008) ‘Open source: does [49] SERPRO, (2005) ‘Fast move to free software in transparency lead to security?’, Computer Fraud & Brazil’; http://ec.europa.eu/idabc/en/documents/5131/528, Security, pp. 11 - 13. (20 January, 2012).

[35] Miscione, G. and Johnston, K. (2010) ‘Free and open [50] Shaikh, M. and Cornford, T. (2012) ‘Strategic source software in developing contexts, from open in drivers of open source software adoption in the principle to open in the consequences’, Journal of public sector: Challenges and opportunities’, European Information & Ethics in Society, 8(1), pp. 42 - 56. Conference on Information Systems AIS, Paper 237.

[36] Mtsweni, J. and Biermann, E. (2010) ‘A roadmap to [51] Sharma, A. and Adkins, R. (2006) ‘OSS in proliferate open source software usage within SA India’, In DiBona, C., Cooper, D. and Stone, M. (eds.), Government servers’, Third International Conference on Open Sources 2.0, O’Reilly Media, Sebastopol, CA, pp. Broadband Communications, Information Technology & 189 - 196. Biomedical Applications, IEEE Computer Society, pp. 430 - 436. [52] Shaw, A. (2011) ‘Insurgent expertise: The politics of free/live and open source software in Brazil’, [37] Mutula, S. and Kalaote, T. (2010) ‘Open source Journal of Information Technology & Politics, vol. 8, pp. software deployment in the public sector: a review of 253 – 272. Botswana and South Africa’, Emerald, 28(1), pp. 63 – 80. [53] Shostack, A. (2008) ‘Experiences threat modelling at [38] Nagler, M. (2005) ‘Open Source adoption of the Microsoft’, In Modelling Security Workshop, Dept. of German Federal Office for information security’; Computing, Lancaster University, UK; http://ec.europa.eu/idabc/servelets/Doc?id=21394 (25 http://blogs.msdn.com/sdl/attachment/8991806.ashx (2 January 2012). February, 2013).

[39] Open Source Report, Coverity Report, (2008); [54] Stol, K., Babar, M. A., Russo, B. and Fitzgerald, B. http://scan.coverity.com/report/ (1 February, 2013). (2009) ‘The use of empirical methods in open source software research: Facts, trends, and future Directions’, [40] Open Source Security Study, Fortify Report, (2008); FLOSS, Vancouver, Canada, pp. 19 - 24. www.fortify.com/ossreport.html (1 February, 2013). [55] Swiderski, F. and Snyder, W. (2004) Threat [41] Oram, A. (2011) ‘Promoting open source software in Modelling, Microsoft Press. Government: The challenges of motivation and follow- through’, Journal of Information Technology & Politics, [56] The Guardian, 2004 ‘Open invitation taken up at 8(3), pp. 240 – 252. last’; http://society.guardian.co.uk/epublic/story/0,,1362744,00.h [42] Otter, A. (2007) ‘SA government gets serious about tml. (2 February, 2013). ODF, IOIL Technology’; http://www.ioltechnology.co.za/article_page.php?iArticleI [57] Thomas, J. (2007) ‘Malaysian public sector OSS d=4126700&iSectionId=2888, (21 February 2012). program Phase II: Accelerated adoption’;

http://www.oscc.org.my/documentation/phase2_launching/ OSS-Phase-2Strategy-Plan-Launch.pdf (5 June, 2013).

[58] TMPSOSSSMP, (2008) ‘The Malaysian public sector open source software master plan: Phase II – Accelerated adoption’; http://www.mampu.gov.my/seminar%20ict/kk2-OSS.pdf ( 19 February, 2012).

[59] Vintila, B. (2010) ‘Citizen oriented open source security’, Open Source Science Journal, 2(3), pp. 57 - 64.

[60] Vital W. (2006) ‘The South African adoption of open source’, White paper created by Vital Wave Consulting; www.vitalwaveconsulting.com/insights/South-African- Adoption-of-Open-Source.pdf, (20 February, 2012).

[61] Walia, N., Rajagopalan, B. and Jain, H. (2006) ‘Comparative investigation of vulnerabilities in open source and proprietary software: An exploratory study’, Americas Conference on Information Systems (AMCIS), vol. 108, pp. 848 - 857. Weber, T., 2004. The success of open source. Harvard University Press, New York, NY.

[62] Weber, T. (2004) The success of open source. Harvard University Press, New York, NY.

[63] Weilbach, L and Byrne, E. (2010) ‘A human environmentalist approach to diffusion in ICT policies – A case study of the FOSS policy of the South African Government’, Journal of Information Communication & Ethics in Society, 8(1) pp. 108 – 123.

[64] Yeo, B., Liu, L. and Saxena, S. (2006) ‘When China dances with OSS’, In DiBona, C., Cooper, D. and Stone, M. (eds.), Open Sources 2.0, O’Reilly Media, Sebastopol, CA, pp. 197 – 210.