In 2003 Sreenivasa Rao Vadalasetty helped write a report for the SANS Institute that was titled \u201cSecurity Concerns in Using Open Source Software for Enterprise Requirements.\u201d To some that title today is almost laughable.The report stated: \u201cThough the open source has potential to be more secure than its closed source counterpart, it should not be taken for granted that open source is more secure because there are some constraining factors. Despite the fact that the source code is available for everyone, several vulnerabilities in open source remain undiscovered ....\u201dIn a survey done by Black Duck Software last year, the findings showed that use of open source software has increased. The survey, which analyzed input from a record 1,300 C-suite and senior IT professionals, shows that 78 percent of respondents said their companies run at least part of their operations on open source \u2013 a number that has doubled since 2010.\u201cWe\u2019ve come a long way since then. It\u2019s clear that open source has become the default base for software development, infiltrating almost every facet of the modern enterprise and outperforming proprietary packages on quality, cost, customization and security,\u201d said Paul Santinelli, general partner at North Bridge, which partnered with Black Duck on the survey.The survey goes on to say that 55 percent noted that open source delivers superior security.\u201cOpen source security products have been used for more than two decades. Let's take Snort, for example. Released in 1998 and used for IDS\/IPS by some of our own governments three-letter organizations. OSS originally got a bad rap for poor security due to proprietary software vendors FUD tactics. Many companies have come to realize that more patches fixing security are released for OSS than most proprietary products. Why? The size of the community in any given project, agile processes and the need to act quickly to resolve any issues. Proprietary vendors still have a lock on finance and [human resource] applications... but that could be the next area for innovation in open source software,\u201d he added.Michael Taylor, applications and product development lead at Rook Security, said the open source community has consistently created excellent tools for both general and security purposes. \u201cThe reason these tools have been successful is that they are created in the open, so there is no mystery behind what the code is actually doing. This allows each user to determine for themselves whether they are comfortable with the actions of the tools,\u201d he said.Additionally, he said, the user gets to be involved in the development process through the creation of additional features, bug reports, and code review of the projects. This community involvement greatly increases the population of testers and code reviewers.[ ALSO ON CSO: The state of open source security ]\u201cWe have used many different open source tools for security and in day-to-day activities. Most of the population has likely used open source items in one form or another, such as cell phones, operating systems within their cars or other home devices, and many other embedded systems. The security around these platforms is often components from different open source projects. An example is the embedded Linux system in a car would have security components that would be seen in a production web server,\u201d Taylor said.Many tools that are open sourced are more readily usable than the closed source alternatives. The visibility of how the code works allows an end user the ability to quickly integrate the open source tool into existing systems. \u201cWhen we are examining potential new tools, selecting an open source project which satisfies our needs is typically a better option than the alternatives. This is because we are able to rapidly deploy an open source tool without making a financial commitment to another company. It also lets us determine a proof of concept for using the new project,\u201d he said.Rook Security uses SNORT and Suricata for network monitoring, Elasticsearch as a database solution to handle many types of data, and OpenSSH for connecting securely to a host using strong encryption and authentication methods.Bill Weinberg, who is senior director and analyst of open source strategy at the Linux Foundation, said open source software is deployed in nearly every aspect of enterprise infrastructure and across enterprise networks \u201cto a degree unimaginable just a few years ago\u201d.\u00a0He cited a Gartner report that found an average 29 percent of enterprise software stacks are comprised of open source software, with best-in-class organizations utilizing up to 80 percent open source in their portfolios, freeing funds and resources to develop, acquire and deploy commercial\/proprietary code for the most differentiating and\/or business-critical functions.When asked if open source is secure for every corner of the enterprise network, he said, \u201cThe issue isn\u2019t whether open source is secure enough for PII - it\u2019s whether the systems processing PII are in sufficiently secure. The whole networks and the apps that run on them, which are today a heady mixture of proprietary and open source code.\u201d\t\t\t\t\t\t\t\t\t\t\t\t\u201cWe are entering a \u2018post proprietary\u2019 era where it is basically impossible to build and deploy applications without some integration of open source software. This phenomenon extends to the enterprise desktop to enterprise data center applications to the cloud and of course to mobile\/embedded,\u201d he said.Finance and human resources, while handling highly proprietary and sensitive information, are not immune to the benefits of deploying on and with open source, Weinberg said. \u201cOn premises, HR and Financial apps run on Linux and integrate a range of open source libraries and middleware,\u201d he said.\u00a0Focusing on \u201cnetworks\u201d, that is (embedded) network equipment consists of at least 80 percent of code deployed in routers, access points, NAS and other network nodes is open source, he noted.[ ALSO: Are open-source projects the pathway to better security? ]Santinelli added: \u201cJust for fun, I took a look at survey responses from 2007 to find that some actually labeled open source as a "gimmick," and a majority believed that a startup software vendor could only be successful with a product\/service that is not open source.\u201dThe survey showed that 45 percent of respondents gave open source the first look with regard to evaluating security technologies for internal use.Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, is also a proponent of open source. He cited the \u201cmany eyes\u201d theory whereby the more people reviewing the code the less likely vulnerabilities will get through. With the extensive peer review process, he feels comfortable using open source products. The only downfall with open source products is the lack of support. A commercial vendor is obligated contractually to respond to issues to its product.Michael Pittenger, vice president of product strategy at Black Duck, said the support model for open source is backwards. \u201cIt is up to you (as the user) to know if there is a new version of that software available,\u201d he said, adding that you have to be engaged to know when vulnerabilities have been found.\u201cI don\u2019t find companies shying away from open source\u201d when it comes to departments like human resources, he said. \u201cWith this support model, nothing is getting pushed to [the user].\u201d\u201cUtilizing open source solutions, whether it is for PII, financial records, or proprietary information should not be a concern for most institutions. The underlying encryption algorithms, communication protocols, and operating systems are often already open sourced,\u201d said Rook\u2019s Taylor.He added, that this allows for researchers to examine the code directly for defects and vulnerabilities. It is more difficult to investigate precompiled binaries that are delivered by closed source products.\u201cIf a vulnerability is identified in a closed source piece of software, the end user must wait for the company to produce and distribute the patch. An open source project will often be able to produce a patch more quickly due to all of the end users and developers of the project working towards a solution,\u201d he said. \u201cUltimately, it is the company's responsibility to identify and utilize a sufficiently secure solution for their data. In a software as a service model, the liability may be deferred somewhat to the service provider, but damage to the company's reputation will still be inflicted.\u201dHe does not think there are any company departments which should inherently not use open source software. There is typically higher overhead for the management of open source tools and sometimes a lack of support (some notable exception being Red Hat, Elasticsearch, etc.)\u201cOpen source has solidified its position as the default base for software development. It is infiltrating almost every facet of the modern [network]. In the startup community we are seeing a continued wave of open source born companies \u2013 the next wave of Red Hat, Acquia and Ubuntu while at the same time seeing traditional IT leaders such as HP and Microsoft grafting open source DNA into their core,\u201d said Santinelli. \u201cIn the coming years, we will see open source unlock the potential of a new generation of technologies \u2013 the Internet of Things, big data and cloud computing creating many billions in value.\u201dJ.J. Thompson, founder and CEO at Rook Security, said open source tools are very useful for providing data enrichment to enhance the context of an attack to facilitate bucketing. Many commercial tools provide information about the IDS signature, or the origination IP, but do not glue it all together.\u201cInstead of trying to find a super-sized offering to do this, which none do effectively, it is often better for internal teams to glue the pieces together themselves with open sourced threat intelligence,\u201d he said.Additionally, scripting capture of information about the asset under attack can help security teams decide how to effectively respond based on the business criticality of the asset, he said.The 2003 SANS report noted, which is still true today, enterprises should do an extensive risk and security analysis before choosing open source solutions over their closed source counterparts. The analysis should consider various factors such as the expertise available in-house and the support options available for the respective open source product. Well documented and implemented security policies and best practices help an enterprise to mitigate the risks and enjoy the real benefits of open source.