24-09-2012, 03:38 PM
Open Source Software
[attachment=34493]
What is Open Source Software (OSS)?
OSS: software licensed to users with these freedoms:
to run the program for any purpose,
to study and modify the program, and
to freely redistribute copies of either the original or modified program (without royalties, etc.)
Original term: “Free software” (confused with no-price)
Other synonyms: libre sw, free-libre sw, FOSS, FLOSS
OSS most common in DoD (I often use “FLOSS” to non-DoD)
Antonyms: proprietary software, closed software
Widely used; OSS #1 or #2 in many markets
“… plays a more critical role in the DoD than has generally been recognized.” [MITRE 2003]
Not non-commercial; OSS almost always commercial
[For details see “Free Software Definition” & “Open Source Definition”]
Why would contractors use/develop OSS for supply to others?
Same list as previous, plus...
OSS use—similar advantages to use of proprietary commercial item
Competitive advantage (if uses & others don’t), because shared development of item across many users (cost, time, quality, innovation) tends to produce better results
Can focus on problem not lower-level issues (if everyone uses)
But with a twist: Avoids risks of depending on proprietary commercial items
Proprietary third-party: Vendor lock-in risks (costs, abandon,...)
A contractor: All other contractors will avoid (to avoid the risk of complete dependence on a direct competitor), inhibiting sharing
OSS development: First-mover advantage
First one to release defines architecture & has best expertise in the OSS component, leading to competitive advantage
OSS consistent with DoD policy
DoD memo “Clarifying Guidance Regarding OSS” (Oct 16, 2009)
OSS is commercial, commercial must be preferred
DoD must develop/update capabilities faster; OSS advantages
Include OSS in market research, consider OSS positive aspects
Source code is “data” per DODD 8320.02; must share in DoD
DoD-developed software should be released to the public under certain conditions
Updates DoD memo "Open Source Software (OSS) in the Department of Defense (DoD)" (2003), which also stated that OSS is fine as long as it meets usual software requirements
OMB M-04-16 “Software Acquisition” (July 1, 2004)
Dept. of the Navy “OSS Guidance” (June 5, 2007)
Some misunderstood DoDD 8500.1/DoDI 8500.2 DCPD-1 as forbidding OSS...
Can “security by obscurity” be a basis for security?
“Security by Obscurity” can work, but iff:
Keeping secret actually improves security
You can keep the critical information a secret
For obscurity itself to give significant security:
Keep source secret from all but a few people. Never sell or reveal source to many. E.G.: Classify
Keep binary secret; never sell binary to outsiders
Use software protection mechanisms (goo, etc.)
Remove software binary before exporting system
Do not allow inputs/outputs of program to be accessible by others – no Internet/web access
Incompatible with off-the-shelf development approaches
Fine for (custom) classified software, but that’s costly
Proprietary software can be secure – but not this way
[attachment=34493]
What is Open Source Software (OSS)?
OSS: software licensed to users with these freedoms:
to run the program for any purpose,
to study and modify the program, and
to freely redistribute copies of either the original or modified program (without royalties, etc.)
Original term: “Free software” (confused with no-price)
Other synonyms: libre sw, free-libre sw, FOSS, FLOSS
OSS most common in DoD (I often use “FLOSS” to non-DoD)
Antonyms: proprietary software, closed software
Widely used; OSS #1 or #2 in many markets
“… plays a more critical role in the DoD than has generally been recognized.” [MITRE 2003]
Not non-commercial; OSS almost always commercial
[For details see “Free Software Definition” & “Open Source Definition”]
Why would contractors use/develop OSS for supply to others?
Same list as previous, plus...
OSS use—similar advantages to use of proprietary commercial item
Competitive advantage (if uses & others don’t), because shared development of item across many users (cost, time, quality, innovation) tends to produce better results
Can focus on problem not lower-level issues (if everyone uses)
But with a twist: Avoids risks of depending on proprietary commercial items
Proprietary third-party: Vendor lock-in risks (costs, abandon,...)
A contractor: All other contractors will avoid (to avoid the risk of complete dependence on a direct competitor), inhibiting sharing
OSS development: First-mover advantage
First one to release defines architecture & has best expertise in the OSS component, leading to competitive advantage
OSS consistent with DoD policy
DoD memo “Clarifying Guidance Regarding OSS” (Oct 16, 2009)
OSS is commercial, commercial must be preferred
DoD must develop/update capabilities faster; OSS advantages
Include OSS in market research, consider OSS positive aspects
Source code is “data” per DODD 8320.02; must share in DoD
DoD-developed software should be released to the public under certain conditions
Updates DoD memo "Open Source Software (OSS) in the Department of Defense (DoD)" (2003), which also stated that OSS is fine as long as it meets usual software requirements
OMB M-04-16 “Software Acquisition” (July 1, 2004)
Dept. of the Navy “OSS Guidance” (June 5, 2007)
Some misunderstood DoDD 8500.1/DoDI 8500.2 DCPD-1 as forbidding OSS...
Can “security by obscurity” be a basis for security?
“Security by Obscurity” can work, but iff:
Keeping secret actually improves security
You can keep the critical information a secret
For obscurity itself to give significant security:
Keep source secret from all but a few people. Never sell or reveal source to many. E.G.: Classify
Keep binary secret; never sell binary to outsiders
Use software protection mechanisms (goo, etc.)
Remove software binary before exporting system
Do not allow inputs/outputs of program to be accessible by others – no Internet/web access
Incompatible with off-the-shelf development approaches
Fine for (custom) classified software, but that’s costly
Proprietary software can be secure – but not this way