Federal agencies that previously relied on expensive, built-to-order software are now following a growing trend to embrace open source code. 

“Every company in the top 100 government providers uses open source in their products: all of them,” said Scott Montgomery, McAfee [MFE] chief technology officer for the public sector. 

“Open” source code means that the human-readable code is made publicly available and can be modified and reviewed. This gives the software community opportunities to find vulnerabilities and improve the code. Open source code allows any developer to use it as a foundation for a program or application. While this creates efficiency and cuts cost, it also presents hackers with a chance to search for potential exploits in widely used open source codes. 

Gunnar Hellekson, chief technology strategist for open source software firm Red Hat‘s [RHT] public sector group, said the number of people working to secure the code counteracts the potential for security breaches. 

“Open source does mean that more people can look at your code and identify flaws in it, but it also means that more people can go in and fix it,” he said. 

Hellekson named the Financial Protection Bureau, the Director of National Intelligence, the Federal Communications Commission, and the Department of Defense as leaders in the use of open source code.

As one of the first open source adopters, DoD released a memo in 2009 encouraging open source projects. Following the memo, the Army created its “Apps for the Army” program to solicit applications from developers and speed up the service’s software acquisition process. The Army’s Chief Information Officer said the challenge produced 53 usable apps in 75 days. 

The Army provides one successful example of open source code use in DoD, but the memo also served to dispel security concerns surrounding use of open code. The memo gave best practices for the verification process and said the use of open source software without a warranty should be limited, as it cannot be adequately vetted. The memo clarified what it calls a “misconception” that DoD must re-release any modifications that it makes to open source code. The department said it would release security patches it discovers, but that it is not obligated to release internal changes to code that it adapts for its uses. 

Hellekson attributes the shift to open source code adoption to the positive experience users had with the Linux operating system and now with Google’s [GOOG] Android. Throughout the 1990s and early 2000s, Linux, based on freely downloadable source code, began challenging its expensive Unix competitor. Although Microsoft [MSFT] Windows reigns as the most-used operating system for basic desktops, Linux is considered secure enough to run some of the world’s largest supercomputers and Android has cornered the mobile market.

There are two types of open source code, Hellekson said. Code downloaded from the Internet without proper vetting is not the same as open source code distributed by a firm that provides ongoing support and security patches. He said he does not recommend agencies to download open source code and embark on projects on their own. 

“They will find it a lot more work, a lot more expensive to maintain over time,” he said. “My concern is that will sour them on open source.”

McAfee’s Montgomery said there are several methods to ensure that open source code is safe. An agency considering a piece of open source code can hire a third party company to verify the code by either statically examining it or dynamically testing it in a lab. 

Montgomery also suggested that developers use “version control” or “source control” while they are working on code. This means that any changes to the code are given a version number and all of the versions are stored in a central repository. If a bug is found, developers can revert to a previous version without compromising the project.

“The more sensitive the data becomes, the more an expenditure makes sense,” he said of the vetting process.

However, Montgomery said time and budget constraints often force agencies into throwing projects together without proper security verification. 

“Very few times do I see people doing that upfront analysis,” he said.

With the right amount of effort, Montgomery said open source code can be a valuable tool, but he cautions that it must be included in an agency’s risk management decision. In certain cases, he said, proprietary software development remains the most effective option. 

“The more classified the data gets and the closer to mission the application becomes, the more appropriate it is to have something built for you,” he said.