Gartner Inc. analysts may expect open source software to make up as much as 22% of the total commercial software market sometime this decade, but sales of open source security products still lag behind other categories, experts said.
Questions about who will provide service, who's liable in case of failure, the predictability of updates and other comfort factors common to proprietary software play a larger role in security than other areas. That adds up to fewer opportunities for channel companies hoping to sell open source security software, some analysts said; though others believe success is possible for channel companies that can provide traditional software support to their open source customers.
"There are certain tools where it makes much more sense to go to commercial security," said Rich Mogull, analyst at Gartner Research. "[Open source] generally isn't going to be as polished. You're not guaranteed a certain level of support."
Most businesses rely on open source security software to a certain degree, even if their CIOs don't know it. Many commercial intrusion detection systems (IDS) are based on Snort -- an open source packet sniffer and IDS.
The open source network scanners Nessus and Nmap are also popular, as are open source firewall management,
according to John Viega, an open source author and chief security architect for McAfee.
"Many are as good as, if not better than, any commercial equivalent on the market," said Mike Cobb of Surrey, U.K.-based Cob Web Applications.
Open source security software pros and cons
Customers are not inherently opposed to open source security software, as long as it meets their needs, Viega said.
"It certainly depends on the vertical, but on the whole, to the business community, software is software," he said.
The process of developing open source software also helps it become more secure, according to Stephen O'Grady, an analyst with Denver-based RedMonk.
"With open source solutions available for anyone to test and try to break, they have some advantages in QA and penetration testing over proprietary alternatives," he said in an instant messenger interview.
Businesses thinking about open source security software should consider how its functionality matches their requirements, understand what support is available and assess the total cost, Cobb said in an email.
"As open source is free, it obviously comes in ahead in terms of cost," he said. "But many administrators remain wary of open source software, often citing the lack of any warranty protection."
Another issue is that, because most open source software begins on Unix machines, it doesn't necessarily take advantage of the Windows environment as fully as proprietary software does, Cobb added.
O'Grady disagreed with Cobb on that point. All security products must be able to function in mixed environments, he said.
"Many security solutions begin at levels above the OS in a network-topology sense," he said.
Open source becoming more popular?
Security software revenues increased 15% from 2004 to 2005, according to the most recent Gartner Dataquest information available. And security enhancements are businesses' top IT priorities for 2007, according to a December report by Forrester Research.
Although Forrester and other market-share estimators tend not to count open source software separately from proprietary within the security market, open source products are gaining on proprietary, O'Grady said. Many concerns about its safety have been allayed by SELinux, a successful collaboration between Linux and government agencies, he said.
"The level of understanding and appreciation for open source software is improved -- security included," he added. "I think open source is becoming more popular, generally speaking, and the security space is no exception to that rule, from what I've seen."
The Madrid-based Open Source Security Information Management also sees a trend and plans to take advantage of it next month by offering exclusively open source security products to customers. OSSIM's clients so far include financial institutions and telecommunications companies, technical manager Julio Casal said.
"Financial companies are accepting it and trusting the open source way," he said. "In the technical markets, they are very open-minded about open source because they are technical-minded people."
OSSIM's business model may be more successful in parts of Europe, like France and Scandinavia, where open source is more widely used, O'Grady said.
And OSSIM execs also realize there will always be some resistance.
"It's more of a cultural thing," Casal said. "If a client is of a proprietary mind, it will be very difficult to convince them [about open source]."
Channel opportunities in open source security software
Concerns about open source security software usually are about its robustness, not the security itself. That's where the channel can come in, by providing the support and service customers would expect from proprietary security, Viega said.
Many value-added resellers (VARs) may have a hard time doing that, because "you need to have the expertise in house to support these things," but those that do can make open source another option for their clients, he said.
Although OSSIM is working directly with its customers in Spain, it has channel partners to install its products and consult with clients in other European countries, Casal said.
But others, like Mogull, see no channel opportunities in open source security -- "unless," he said, "they want to sell something for free."
Let us know what you think about this story; email: Colin Steele, Features Writer.
Dig deeper on Application security and data protection