In one of the biggest testaments yet of open source's security credentials, and of its ability to deliver security at lower cost, the US National Security Agency (NSA) has turned to open source to create part of the Tokeneer System. The Tokeneer System is a biometric security software system, but that isn't why it's significant.
No, open sourcing part of the Tokeneer System is significant because it "shows that highly dependable software can be developed cost-effectively," as noted by Martyn Thomas of Oxford University. The same or better security than proprietary approaches...for much less.
For those that continue to cling to the principle that security is best achieved through obscurity, the US' most secretive agency has a response: open source is better.
The unprecedented release of the project into the open source community aims to demonstrate how highly secure software can be developed cost-effectively, improving industrial practice and providing a starting point for teaching and academic research. Originally showcased in a conference paper in 2006, it has the long-term aim of improving the development practices of NSA's contractors. Tokeneer was created as a fixed-price project, taking just 260 person days to create nearly 10,000 lines of high-assurance code, achieving lower development costs than traditional methods per line of code.
This result should not be underestimated. As Professor Daniel Jackson of MIT Computer Science Lab suggests, "Finally, we have a full and open example of a development from a world leader in high integrity systems." In other words, this is a significant proofpoint from an established security leader that open source can deliver industry-leading security at lower cost than standard procedures.
In a booming market, perhaps this wouldn't matter. But the market is not booming. If anything, it's headed to a bust. As such, open-source principles are critical to ensuring that governments and enterprises can stretch budgets to the maximum.