The Back Story:
I’ve recently joined a big financial firm as an Architect and we are in the process of designing our first Internet facing transactional e-commerce website (the current website is a mix of mostly static, a wee bit dynamic, CMS based information portal). As part of this design we are evaluating various Operating Systems (apart from firewalls, databases, programming languages and hosting options).
A bit more about the firm:
- The firm currently uses products from a firm headquartered in Redmond for their intranet portals
- Most of the programming work is outsourced to third-party software development shops
- The ‘internal handlers’ of these projects within our firm are middle-management. These guys don’t have the technical knowhow to distinguish Linux from BSD. For them open source is Linux.
- Since there is very little knowledge of open source – people are ‘afraid of open source’. It is mostly a fear of the unknown. The prevailing mindset is – if its security related, it can be solved by getting a Cisco Firewall.
- The firm is genuinely concerned about security. In fact they are paranoid about it.
A bit About me:
- Application developer for the past 10 years. Mostly Java – a bit of Lua. Dabbled a bit with systems – but by no means a competent system/network admin.
- Been researching various OS’s for the last 2 years. FreeBSD and OpenBSD are my favorites because I like the clean, simple style of the systems. I prefer the BSD style licenses to GNU/GPL ones. I like OpenBSD for their uncompromising focus on security. I use OpenBSD + Xfce on my laptop (a Thinkpad). I also really like the OpenBSD people – Michael Lucas (and his books), Henning Brauer, Joshua (and this site), Ted, the Conformal guys (Marco and Dale) and Theo. I dont know any of them personally but I love their attitude towards systems and security. (Unrelated, but I’m also a Dan Bernstein fanboy)
- Used Solaris and CentOS in production before.
- Strongly believe OpenBSD and its family of tools (pf, OpenBGPD, OpenSSH, etc.) should be the platform on which we build our systems.
- Convincing top management to choose OpenBSD.
- Since I am new, I need to provide credible real world evidence of OpenBSD deployment successes – preferably in the Banking and Financial Services Industry. I can easily find details about this for, say, RHEL (red hat mentions on their website that RHEL is used on 80% of the world’s stock exchanges and cite NYSE and LSE as their clients). Does any such data exist for OpenBSD? I went through the ‘Products based on OpenBSD’ page and I could find a lot of Firewall/Router/Security firms but no BFSI data.
- Has any of you here ever been in a similar position? How did you convince management to use OpenBSD?
My current proposal:
- Mention that OpenBSD is one of the few OS' that has security as its primary focus.
- Mention that an architecture composed of only OpenBSD boxes will be a much more elegant, auditable and maintainable system than cobbling together a Cisco router/firewall with some RHEL boxes.
- Mention that we can hire top security guys – for example Henning – to design and review our network and security architecture.
- NEVER mention cost as a deciding factor. Because the mentality here is to equate ‘free’ with ‘cheap’. Also, I have no intention to use it as a free system. I intend to push the firm to donate to the OpenBSD foundation.
What I am most afraid of is the following question – If it is so good, then why isn’t anyone in BFSI using it? Well the logical answer to that is that the security/firewall organizations are using them, and selling their products to the BFSI industry – but I don’t think its a strong enough answer.