San Jose (CA) – Tatu Ylonen, the inventor of the Secure Shell (SSH) protocol and founder of SSH Communications Security told TG Daily that growing companies should consider switching from open source to proprietary software. Some may be surprised by Ylonen’s stance because of his open source background, but he argues that it’s this very background that has formed his opinion.
Ylonen’s said that his position is based on several experiences he made and reflect a common concern voiced especially in larger corporations which maintain vast IT environments. Sufficient support is a major issue, which, according to Ylonen may not have been addressed sufficiently. Firms want to obtain software from companies “that can be held accountable” for actions. If that’s not the case, they will shy away from software where, as Ylonen put it, “no one stands behind it.”
Companies typically want answers to a few key questions if there is a security breach, including who is going to be liable. This lack of accountability is what makes open source less attractive. “When you have to deal with auditing and legal requirements, open source really isn’t an option,” he said. And it is this accountability that drives large customers into the direction of proprietary software.
In addition to accountability, code review is a big part of secure software and Ylonen believes that this can be a problem in the open source environment. It’s a common perception that software is getting much more complex and that we are nearing “the limits of programming.” Modern software is written in chunks of modular code often using application programming interfaces that are specific to certain operating systems or development platforms. “Even when those APIs are published, there are subtle interactions and in practice it’s not possible to keep track of everything. If you have 50 million lines, you’ll have quite a few bugs,” said Ylonen.
A part of this opinion, Ylonen said, stems from his early work as the administrator of the SSH project. He recalled a time when many of the supposed bug fixes that were sent from around the world actually caused more bugs. “About one-third of all patches, which usually came from senior IT administrators, contained a bug that could be remotely exploitable. This gives you an idea in security software of how much you can rely on the community process. It needs someone to review everything.”
Of course code review may slow development which contrasts to small open source projects that can implement changes quickly. However, Ylonen cautioned that fast changes may not always be a good thing. While code changes may be “a little” slower at SSH than in the open source world, Ylonen said, “It goes through reviews and is more controlled. There are no surprises.”
In advocating proprietary software for large organizations, it appears that Ylonen has shifted his focus against open source software. But he claims that this is not the case. He mentioned that both open source and proprietary software have their place: “I am not saying that free software isn’t a good thing. I’ve written free software and probably will do some in the future as well. I just don’t think that [open source software] is acceptable for large corporations in practice. It’s good for running on a small organization or your own machine.”
SSH, which was developed by Ylonen in 1995, is an encrypted protocol that has helped IT administrators to securely log into their servers and transfer files. Applications data is sent through an encrypted tunnel after both the user and server authenticate to each other via a public-key exchange. After creating SSH and releasing it as open source, Ylonen founded the company that sells a commercial product line called Tectia.