I don't hide the fact that I am a contractor to a few US Government
organizations and deal specifically with security issues. As such, I'm
asked if I'm seeing any open source or Linux items in my daily work.
Unfortunately the answer is always "not as much as I'd like to see". I
know that a Linux system can be hardened faster and easier (and cheaper)
than that other brand of OS. I know that doing compliance testing takes
half as long on Linux (and Solaris) than that other brand as well. This
all equals to a larger cost savings to the customer (the gov't) and to
the American public. So why isn't there more open source solutions out
there being used? Two words: "testing" and "certifications".
I'll use LUKS as a good example. LUKS provides "Data at Rest (DAR)
Encryption" for computer hard drives and removable media. By default, in
Fedora, it uses AES encryption and protects all data on the hard drive
from being copied or altered on a system that is powered down. Simple,
easy to install, free, and meets the basic requirements for DAR
Encryption. Why isn't this an approved solution, then? Because LUKS
doesn't meet FIPS 140-2 requirements. Well, I won't say that it doesn't
meet the requirements because it probably does but it has never been
certified as such. And to do so is usually takes at least $100k+ and a
few months of government testing. Now if you are developing open source
software you probably don't have the money to fund such testing.
There are a few notable exceptions. SELinux was a joint project between
the community and the NSA. That worked out well for all involved.
I'd like to see the bar lowered for software to become accepted as
solutions instead of being discarded because they don't have a large
amount of funding.