When embedded systems development teams investigate which security tools to
include in their devices and applications, open source libraries often seem
attractive. There seems to be an open source solution for virtually any
security protocol, such as OpenSSL, OpenSSH, and the various flavors of
Swan IPsec (FreeS/WAN, Openswan, and strongSwan). Such projects are
popular, offer loads of optional user-written add-on modules, and best of
all, they're free!
A closer observation, however, reveals that there is in fact "no such thing
as a free lunch", especially when it comes to implementing security in
non-PC environments. Common downsides to using open source security code in
production environments include:
Porting considerations—Open source security products were designed for desktop systems. To adapt them to embedded devices requires costly development time for non-trivial platform ports, performance optimizations, and footprint reductions.
Security concerns—Open source security code has a history of routine and significant security flaws, and of non-adherence to standards which causes interoperability issues.
Hidden costs—Open source libraries appear to be free, but when the cost of extra development, maintenance, legal liabilities, and so on are included, the TCO (total cost of ownership) usually exceeds that of Mocana's commercially sold and supported code. (Open source TCO can be easily calculated by using Mocana's FREE Calculator.
Support issues—Lack of documentation, samples, support, and maintenance for open source means developers are on their own and must invest significant time to integrate security code, all the while raising the risk of introducing security holes into their application.
Code quality—The quality of open source code varies considerably from project to project, and even among modules in a given code base. Testers cannot take anything for granted, and will spend considerable effort on platform testing and integration efforts.
Certification and legal issues—Open source security code has a history of difficulty getting and keeping FIPS validations, as well as leaving manufacturers with considerable legal exposure due to unresolved or simply ambiguous issues of patent protection, IP indemnification, licensing, and (unknown) country of origin.
Why Mocana stands out over OpenSSH and OpenSSL
In response to these limitations, Mocana built NanoSSL™ (Client and Server) and NanoSSH™ (Client and Server) from the ground up. Along with the rest of the Mocana Nano- product line, they offer many valuable benefits, including:
Considerably higher performance than their open source counterparts
Considerably smaller footprints than the open source code bases
