How can I convince IT that F/OSS software isn't evil?

Question

When trying to link some well established tools to my company's active directory, I hit a roadblock. I was told that:

"Sorry, I cannot trust our domain admin password to [F/OSS] software...".

This question deals specifically with how to convince IT that F/OSS software isn't (automatically) less trustworthy than any other software just because it's free/oss.

I'm doing fine with adopting OSS software (I'm a linux ninja at heart) so to put it another way: How can I promote the acceptance of OSS at my company?

The technical issue of tying into AD without an admin account is for another post.

---

EDIT:

I got some clarification on these issues. This really has little to do with the active directory and all to do with trust of F/OSS in general. So I think my original bolded questions are still valid, just ignore the part about the "admin password".

Answer 1

If you have the source code for (and roughly understand the language behind it) go through the code and try to find any security issues that could potentially put passwords/information at risk. If you can, compile your own version of the source code after you've looked over the code, just to be safe.

Answer 2

I would try it this way:

Why would open-source software be less trustworthy than it's close-sourced equivalent? If anything, the transparency of its code would require that it be even more trustworthy, in terms of private data storage such as passwords, since any attempt to subvert it would be discoverable by examining the source code.

This, of course, is only valid if the company compiles the source themselves, and does not trust a binary distribution.

Answer 3

Identify exactly what he cannot trust about F/OSS software and then you can tailor your explanation to address his concerns.

• Is it concern about backdoors being coded in?
• Is it concern about code quality that leads to security risks?
• Is it concern about how soon security risks will be fixed?

Answer 4

Any IT person worth their salt will be well aware of the benefits of open source software.

The answer that has been given sounds to me like a palm off answer, some possibilities of why they don't want to implement it could be:

• Possible lack of enterprise level support for that specific software open source software
• Not wanting non-IT department employees to be modifying the active directory (you)
• The software you have found doesn't have the industry recognition that other similar products have
• There is no perceived benefit for the IT department for the work it would require them to do (both in the initial setup and ongoing maintenance)

Answer 5

I would put the onus on IT to prove their case. Simply ask "why not?", or possibly "what evidence do you have that this is any less secure than non-GPL software?". If they attempt to give some explanation, you can take some of the other suggestions to explain their misconceptions to them. If they just stubbornly stand their ground, they are standing in the way of you doing your job - and for no good reason. Gently explain to them how you have found incredible value (ie free) software that adds value to the company, and that you're sure the higher levels of management would want you to take advantage of it. Hopefully this will remind them they have no evidence. If even this fails and it's important, you could then take it to higher levels of management, but proceed with caution as it's a sure fire way to make enemies.

Answer 6

Ask them if they have read the license since that is what they object too. Ask them specifically what in the license is an issue for them. If what they are really resisting is Open Source Software, then that is a separate issue from resisting the GPL.

Answer 7

Why not run as a non domain admin? I can understand why they don't want to give a domain admin password to any software. Especially if there is only one "Domain Admin" account.

How about you determine exactly the permissions needed to run the software and request a new account with only those permissions. You could convice them to put this in a different OU, with additional auditing. If the software provides value, you are creating a process for them to "audit" and decide to trust OSS.

Answer 8

I work as a sysadmin. From my perspective this question isn't about trusting Open Source software specifically. Your IT person mentioned a specific case saying he didn't trust it with the domain admin username and password. I think he may be concerned with the software storing that username and password. If that is in fact how it works I would deny the request for open source or commercial software. No properly setup system should need to store the domain admin username and password, possibly an account with lower credentials, or depending on the tool if it is interactive have it setup to ask for credentials at runtime and authentcate against the domain.

Bottom line you need to work with IT to come to a better understanding of your and their needs. Things need not always be only a yes or no issue.

Answer 9

"how to convince IT that F/OSS software isn't (automatically) less trustworthy than any other software just because it's free/oss."

"How can I promote the acceptance of OSS at my company?"

You can't.

All you can do is the following.

1. Find the F/OSS they currently use. This can be hard. In some cases, it's trivial because many folks use Apache and Java without thinking about it.

2. Ask how is what you're going to use different than what they're already using?

That will make the case for exactly one new piece of F/OSS. Or, they'll go crazy and banish stuff they've been using.

You can't make a general understanding happen. You can only make the case one specific detailed case at a time until someone else starts to piece the big picture together on their own.

Answer 10

What tools do you want to use? Make the business case about how much time/$$ will be saved by using these tools. Give examples of other, highly-successful companies (Google comes to mind) that use these tools.

Answer 11

You're talking about Windows admins. Just point out how MSFT has handled recent security issues (like the recent IE holes that have mainstream media telling people to use alternate browsers) and ask how OSS can be any worse.

Answer 12

First and most importantly, make sure these decisions by IT are being recorded somewhere. Email or whatever. If you can't do your job effectively because of them, make sure you have enough documentation to redirect the blame where it belongs.

Answer 13

Sometimes they are not, sometimes they are. You need evidence to backup your thoughts.

CVE numbers don't lie. Go to http://cve.mitre.org/ , http://www.securityfocus.com/bid/, http://www.secunia.com and compare commercial and OSS version of the same line of products that you'd choose.

See which one is better sometimes it's the fact that the OSS product is really rubbish such as PHPNuke but sometimes it's darn good when it comes to security such as qmail.

Also don't forget you need to choose a OSS solution which got a good community otherwise you might see the project is dead after a year. this is possible in the commercial world, but let's face it less likely

Answer 14

Look beyond IT. Your sysadmin may be following rules set down somewhere else in the company, typically a legal department. If that's the case, you may have a company lawyer who doesn't know about software or FOSS reacting with a corporate lawyer's typical reaction to the unknown - forbid it. After you've demonstrated cost and security benefits, you may need to ask the company to reach out to a legal expert in the area of FOSS.