OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: The price of Security Software
From: Jackie Chan (blue0nedigitz.org)
Date: Tue Oct 31 2000 - 07:11:07 CST

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
John,
        You made my point for me exactly. I also am a vendor, and have
been for some time. There have been many times where the commercial
product just did not stand up to the opensource product. In those cases I
as the vendor had to realize this so that I could help to make my own
product better.

As you said, there is no inherent benefit to opensource vs commercial
(except in price perhaps). My personal belief is that either can be good
or bad. This is definately a philosophical issue, and I merely wanted to
point that out, where Chris was making it sound like hard cold facts.

I agree that good security experts are expensive, however I know quite a
few of expensive security professionals who spend every evening and
entire weekends tending OpenSource projects (some of them security
related). The reason for this in my opinion is that there are a lot of
security professionals who are also coders, but many times the slot of
Security consultant makes much more than the slot of engineer. Also
engineers are not typically given the freedom of creativity that the
security professioanl is, that is why many (myself included) enjoy
participating in a development community in our (*laugh*) spare time.

But I digress, the point here is that the customer who wishes to find a
security product for their environment SHOULD consider all available
options based on the products merit. And I am happy to see that people
are doing this. Since early spring I have found 3 customers who have
chosen Snort for their IDS, and are very happy with it. Was there a
higher level of knowledge required?... sure. Was there some tweaking that
the customers had to do in each case?...sure. Was it cheaper for them in
the long run?...yes.

These customers were able to choose snort becuase they had a lot of
knowledge already in house. If not perhaps something a lil more
commercial would have been better. So the point is... it depends.

-blue0ne
http://www.digitz.org

On Tue, 31 Oct 2000, John S Flowers wrote:

> Jackie/BlueOne,
>
> While it may be "wrong" for anyone to represent the issues of Open Source
> vs. Commercial when it comes to creating new vulnerabilities or keeping
> software up-to-date, I'd argue that Chris is in a position to understand
> these points better than any of us.
>
> Of course, it probably doesn't hurt that I agree with his point completely.
>
> When you're a software vendor (which we are), you normally have to spend a
> lot of time discussing some of your potential open source "competitors" with
> your clients. Unfortunately, with the exception of the code being
> available, many open source solutions are inferior to commercial products.
>
> Don't get me wrong. I believe that having the source code can make the
> product *potentially* better. I just believe, as [I think] Chris has
> stated, having the source code doesn't automatically make open source
> solutions better than commercial products. In both cases, you still have to
> find a team of talented people to write the code that will improve the
> solution.
>
> If you believe, as I do, that talented security people are a) expensive and
> b) hard to find, then you can appreciate how a dedicated team of well paid,
> full-time security experts can improve a product and keep it up to date.
>
> There are, as always, rare exceptions to this rule.
>
> On 10/30/00 7:24 PM, "Jackie Chan" <blue0nedigitz.org> wrote:
>
> > Archive: http://msgs.securepoint.com/ids
> > FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> > IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> > HELP: Having problems... email questions to ids-owneruow.edu.au
> > NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> > SPAM: DO NOT send unsolicted mail to this list.
> > UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> > -----------------------------------------------------------------------------
> >
> > Chris,
> >
> >> To build all the security checks for both IDS and vulnerability scanners
> >> requires a team of security experts working full-time. Most organizations I
> >> talk with do not have the resources to develop their own attack signatures
> >> and vulnerability checks, despite free tools being open sourced. Long term,
> >> as the number of attack types and attack methods increase, I do not see how
> >> a non-security company could justify the cost of hiring a team to keep up,
> >> but rather pay a security vendor to do that for them. How many companies
> >> rely on open source antivirus solutions? It's very expensive to hire a
> >> team of security experts that can program and keep updating the security
> >> intelligence of scanners and IDS.
> >
> > What you are arguing here is basically the efficacy of Open Source vs
> > Commercial software. This is a philosophical debate, and it is wrong for
> > anyone to attempt to represent this as fact to the uninitiated.
> >
> > -blue0ne
> > http://www.digitz.org
> >
> >
> >
>
> --
> | John S Flowers <jflowershiverworld.com>
> | Chief Scientist http://www.hiverworld.com
> | Hiverworld -=- Adaptive, Distributed Security Technology
>