ATO avoids open source due to security concerns

Security concerns have kept the Australian Tax Office (ATO) from adopting open source software, according to the agency's CIO Bill Gibson.

In a video interview with ZDNet.com.au this month, the ATO's Gibson said that while he is not opposed to open source software in principle, he "continues to have concerns about the security-related aspects of open source products."

"We are very, very focused on security and privacy and the obligations we have as an agency to ensure that we protect the rights of citizens information in that respect," he said. "We would need to make sure that we are very comfortable -- through some form of technical scrutiny -- of what is inside such a product so that there is nothing unforeseen there."

Gibson said that while the ATO uses a number of open source components within its systems, it hasn't dived in to open source applications due to concerns around getting the right kind of assurance that "the code is doing what it is intended to do."

"I realise that these risk exists even in proprietary code, however there is a vendor's reputation that helps protect [you and] provide that assurance."

Gibson is by no means the first to question the level of assurance an enterprise customer can expect from open source software.

Five years ago, as Linux entered into the mainstream computing world, several reports commissioned for the likes of Aberdeen Group and Microsoft-sponsored thinktank ADTI, questioned whether Linux might actually be as vulnerable as Windows, for example.

• Aberdeen report -- Linux less secure than Windows
• A 2002 report talking up the security risks of open source.

These advocates of closed software argued that proprietary systems boast "security through obscurity" -- meaning that there is less chance of attack if the code isn't widely available in the developer community.

Open source advocates, on the other hand, argue that the peer review model among open source developers results in better architected software. They also argue that enterprise versions of open source software, such as Red Hat, tend to respond quicker to security issues than the likes of Microsoft.

"All software has bugs, no matter what the licence, and some of those bugs have a security consequence," said Mark Cox, director of Red Hat's security response team.

"It's not the licence that determines how secure a given software project is -- software quality is a measurement on how the software was developed and how the project responds to security issues that are discovered. Open source is often credited as having a fast reaction time."

Organisations considering open source can still mitigate risks, he insists, by using an enterprise-level distribution, which provides a single source of notifications along with support from a security perspective, across a range of open source applications.

If a customer had installed Red Hat's Enterprise Linux 4 package, he said by way of example, and selected every available application with it, 81 percent of critical rated vulnerabilities had fixes available within a single calendar day.

Security vendors such as Trend Micro have agreed with this assessment -- hailing the open source model as one that enables better security outcomes.

Despite his concerns, Gibson says the ATO would still consider an open source application if it both meets the agency's needs and "if there is a trusted entity that provides [the required level of] assurance."

"We've got a number of components within our operating environment that utilise open source technology, but we have not found an ATO office-wide application like a Microsoft Office or StarOffice that we are yet comfortable with," Gibson says.

"When we find one, there is no reason why we would not embrace it. Something like standard office software could be a starting point and we may explore that as part of our end-user computing outsourcing bundle, which we will kick off in the second half of this year."

The full interview with Gibson will be published on the ZDNet.com.au CIO Vision Series page today.