Your company needs a software cipher to encrypt data symmetrically. If security is a priority and licensing and costs are also concerns, which of the following is the best acquisition source?
B. Open source
C. In-house development
D. Commercial-Off-The-Shelf (COTS)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Open source.
It is compliant with Kerckhoffs’s principle that the algorithm and implementation of the open-source cipher, e.g., kokke/tiny-AES-c, are open to the public for review and provide more cost-effective and flexible licensing options.
- The cipher implementation of Commercial-Off-The-Shelf (COTS) is a black box and not open for review. Even if the COTS cipher uses a public algorithm, e.g., AES, it may have implementation bugs subject to implementation attacks. In addition, COTS licensing is limited and inflexible.
- Outsourcing is costly.
- In-house development uses proprietary cipher. It doesn’t meet Kerckhoffs’s principle.
Kerckhoffs’s principle (also called Kerckhoffs’s desideratum, assumption, axiom, doctrine or law) of cryptography was stated by Netherlands born cryptographer Auguste Kerckhoffs in the 19th century: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. … In accordance with Kerckhoffs’s principle, the majority of civilian cryptography makes use of publicly known algorithms.
Open-source software (OSS)
Open-source software (OSS) is a type of computer software in which source code is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software to anyone and for any purpose.
A software license is a legal instrument (usually by way of contract law, with or without printed material) governing the use or redistribution of software.
Open Source Initiative (OSI) Approved Licenses
The following OSI-approved licenses are popular, widely used, or have strong communities:
- Apache License 2.0
- BSD 3-Clause “New” or “Revised” license
- BSD 2-Clause “Simplified” or “FreeBSD” license
- GNU General Public License (GPL)
- GNU Library or “Lesser” General Public License (LGPL)
- MIT license
- Mozilla Public License 2.0
- Common Development and Distribution License
- Eclipse Public License version 2.0
Commercial off-the-shelf (COTS)
Commercial off-the-shelf or commercially available off-the-shelf products are packaged solutions[buzzword] which are then adapted to satisfy the needs of the purchasing organization, rather than the commissioning of custom-made, or bespoke, solutions.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.