Software security: How closely should you look?




	Software security: How closely should you look? SHANE SCHICK Read Bio Latest Columns While it may be a cool product from a Canadian company that claims more than three million users, no one would call Hamachi a household name. Created by Vancouver-based Applied Networking, Hamachi is a free piece of software that allows computer users to connect with each other over the Internet -- rather than with a cable -- through what is called a virtual private network. Gamers love it, and international video game addicts probably account for a great deal of its user base. It would also be useful to small businesses that want to link up with their branch offices or access their office systems remotely from home. Applied Networking hoped Hamachi would turn into a money maker by offering a fee-based enhanced version, but it ran into complaints that are bound to bedevil many other Web 2.0 firms: Customers wanted to see what's under the hood. In on-line forums and even on a Wikipedia entry about the product, users worried that Hamachi wasn't safe because it wasn't open source. In other words, no one except Applied Networking could look at the lines of programming that make Hamachi work and verify that it is secure enough to exchange sensitive business information. "There certainly was a demand for opening the source code," says Alex Pankratov, Applied Networking's co-founder and chief executive officer. "Unfortunately, this came from people who don't understand the implications of open versus closed source." There is a theory among some developers that since many eyeballs will be looking at a piece of open source software, there will be a reduced risk of security holes. This may not be true in practice, but obviously it can't hurt to know how an application was put together. Companies, meanwhile, might not be eager to give away their secret sauce, but if their customers are big enough, they may be forced to offer a taste test. Three years ago, for example, Microsoft said it would allow government customers to look at Windows source code under a program called Shared Source. This didn't mean Windows suddenly became open source -- those involved in the program aren't allowed to make changes to the operating system -- but it was intended to help address security concerns public sector customers have. Yet if Microsoft feels compelled to allow source code review, how can an upstart company offering something like Hamachi hold out? "We have some customers who are working with major software vendors and requiring them to run our tool so they have a better sense of comfort that, when it lands in their shop, the software won't cause problems," says Jack Danahy, founder of a Waltham, Mass.-based company called Ounce Labs Inc., which sells a product that reviews source code. "There really is an uptick." Robert Begg, CEO of Toronto-based security consultancy Digital Defence and president of a local IT security user group, agrees, though he suggested it was mostly among companies with deep pockets. "There is an increasing demand for source code auditing, especially within the financial industry," he said. "They have the money to afford it and the applications that are going to be put at risk." According to Mr. Begg, it could cost $5 per line of software code for a human being to conduct a thorough analysis. Tools such as those from Ounce Labs can automate this process, of course, but in many cases those tools are just scanning for common bugs, he explains -- they might not identify the big, unexpected problems that a human being might. The small businesses that make up most of the Canadian market won't be able to make those kind of investments, but surely they deserve some reassurance, too. In Hamachi's case, Mr. Pankratov says it is less important to open the source code and more important to design software according to IT security standards. However, if you have ever dealt with a software company, they all say they do that. "What you're going to see is smaller companies will be at a greater risk for a very long time," Mr. Begg says. Marton Anka, whose Woburn, Mass.-based company LogMeIn acquired Applied Networking and Hamachi last month, says the key to convincing small businesses about the security of a product is by pointing to large business customers. "If you are able to win the trust of companies like Best Buy, which we have, I think that says something to the market," he says. "The reality of the situation is that if you have a medium-sized company like LogMeIn that will stand behind their products and make it their business model to be trustworthy, that's more important [than looking at the source code]." Another idea, says Mr. Danahy, is researching the third-party companies such as VeriSign or Unisys that may have already certified a software product as safe. In both cases, it means taking someone else's word for it. On the other hand, how many small businesses would say their core competency includes validating software code, even if they were allowed to review it on command? The ability to deliver software as a service over the Internet is opening up many opportunities for companies that develop Web 2.0 applications -- the software that allows us to share ideas and collaborate more easily than before. The downside is these fledgling firms will also face a higher level of scrutiny around the security of their products than many of their better-known predecessors. If they do a good job of keeping viruses and bugs out, they may not be asked to open up their source code for review. However, if there are a series of high-profile Web 2.0 security disasters, audits may become a standard part of business. As for the Web 2.0 customers, their future technology purchases are going to trigger some serious introspection about their risk-assessment capabilities. The big decision will not only be whether they want to take a closer look at a piece of software, but how close of a look they are prepared to take. Shane Schick is editor of ITBusiness.ca.