Absolutely, yes. According to IDC, organizations spent $1.8 billion on stand-alone open source software in 2006, and IDC projects that total revenues in this market will reach $5.8 billion by 2011.
Eager to get in on that action, a number of software companies are now offering commercial security software based on open-source code. While some vendors hide their use of open source, most of this new batch of companies openly promote open source as a feature of the product. And they say their customers are enthusiastically responding.
Why choose open source?
Why are customers so attracted to open-source? According to the vendors, it comes down to cost and flexibility. Dirk Morris, founder and CTO at Untangle, explains, “Our customers usually employ between 30 and 150 people. They’re small business, and some schools, who can’t afford proprietary solutions, but need to secure their networks.”
Playing up the flexibility angle, Dave Roberts, VP of Strategy and Marketing at Vyatta, adds, “Our customers tell us that switching to open-source is tremendously liberating. They’re no longer forced to put up with bad business practices that they often encounter on the proprietary side.”
It also doesn’t hurt that open-source security software often performs better than closed-source alternatives. “We always knew we were going to harness third-party applications [in Untangle],” says Morris. “We tried a lot of them and found that the open-source solutions were better architected and more effective, which was surprising to us at the time.”
“It’s not that open-source is inherently more secure.” elaborates Roberts. “All code has bugs. The big distinction is in how security incidents get handled.” While closed-source vendors can choose to keep a potential security breach quiet until the next product release, open-source vendors have no choice but to fix problems as soon as possible.
Why pay for something that’s free?
So why would anyone pay for the commercial version of software that they could get for free? In most cases, the answer is “support.” Nearly all of the vendors on our list charge an annual subscription for telephone and/or online support.
The other big reason for choosing one of these products is convenience. Some, like both Untangle and Vyatta, combine a number of different products into a single solution that simplifies installation and management. Some also offer pre-configured appliances or servers that make installation even easier.
Finally, some of the products offer expanded features that aren’t available in the free versions. In most cases, these expanded features are aimed at the lucrative enterprise market, which has a greater need for scalability and reliability.
10 Commercial Open-Source Security Vendors
According to its Web site, the Untangle Gateway Platform is “the world’s first commercial-grade open source solution for blocking spam, spyware, viruses, adware and unwanted content on the network.” Their product is an amalgamation of some of the best open-source security software available (including SpamAssassin, ClamAV, and Snort) plus some code Untangle developed on its own. Price: $25 and up (depending on the size of the network).
Vyatta (vee-AH-ta) offers an open source networking solution that includes a router, firewall, and VPN. The Community Edition with community support is available free of charge. The Professional Subscription provides online support, and the Enterprise Subscriptions provides telephone support. Vyatta also offers pre-configured appliances. Price: $647 and up.
Sourcefire manages two of the most popular open-source security projects: ClamAV anti-virus and anti-malware and Snort intrusion prevention and detection. Their commercial product, Sourcefire 3D Enterprise Threat Management, leverages both open source products, as well as additional network security technology. Their products and supports services are available exclusively through resellers and other partners. Price: Not Available.
Recent regulatory changes have heightened interest in two-factor authentication systems for corporate security and online banking. WiKID uses open-source software and everyday cell phones, PDAs, and other handheld devices to generate one-time passwords that are as secure (and more convenient) as hardware tokens. Price: $10 per person per year and up.
Tri-D’s one-time password software is available for free in the open-source community edition. Professional and Enterprise editions are based on the same code, but offer additional features, greater scalability, support, and updates. Tri-D software can be used with a variety of tokens and ID cards, which are also available for sale on the site. Price: $750 and up (depending on the size of the network).
Developer of the popular Nessus vulnerability scanner, Tenable Network Security also offers a Security Center for enterprise security and compliance monitoring. Nessus and the Security Center have won a number of industry awards, and the company also offers products specifically for government agencies. Price: $15,750 and up (depending on the size of the network).
At Smoothwall.org, you can find out all about the Smoothwall Express, the open source firewall that bills itself as “the world’s favourite.” At Smoothwall.net, however, you’ll find the company’s commercial products, which also include web security/content filtering, email security/anti-spam, and bandwidth management (QoS) products with commercial support. Both their software and network appliances are available exclusively through resellers. Price: Not Available.
New Zealand-based Total Information Security created the open source MailSaurus e-mail server, as well as the OffiSaurus groupware and the FileSaurus document management system (are you sensing a theme?). All the products are open source, but the company charges for technical support and installation assistance. Price: $99 per server per month and up for technical support.
The OpenTrust security infrastructure is based on a number of open-source projects, most notably Cryptonit, a digital signature and document encryption tool. The commercial products provide additional features for digital certificates, smart card management, online encryption, and document management. Price: Not available.
Tripwire configuration audit and control software notifies you when changes have been made to sensitive files in your system. It’s a little bit difficult to find on their Web site, but Tripwire does offer an open source version; the Enterprise and Server versions include additional features and professional support. Price: Not available.