Farm9 Hopes Open-sourcing Will Help Grow Business


Company’s security software to be available for free


Farm9 hopes to extend its market reach by open-sourcing its Harvester managed security operations center software.

By making software open source, farm9 hopes to gain name recognition and new clients in small- and large-business markets, said Guy Morgan, the company's co-founder and COO. Harvester provides data collection, consolidation, archiving and analysis of network and system security events.

"We think we'll penetrate markets we couldn't enter before," Morgan said.


Farm9 believes that with everyone in the open-source world pitching in, its Harvester software will be enhanced.

Getting the software for free may make it easier for small businesses to afford the monitoring service, he said. Large companies with staff for a 24x7 operations center, on the other hand, can get commercial support for the software from farm9, he said.

Founded about two years ago, farm9 doesn't lose much by making the software free because its core business is providing round-the-clock monitoring, analysis and support services, Morgan said.

The company charges about $5,000 up-front for the software, hardware and installation services in addition to the annual monitoring service contract, which costs a midsize company about $35,000, he said.

Also, an open-source Harvester will be enhanced through peer review, Morgan said.

"In the open-source world, everyone can see and critique the code, and many hands make light work," said farm9 CEO George Milliken.

The firm plans an initial open-source release of Harvester,with project objectives, architectural documentation, a technical specification draft and FAQs,in early September.

"We'll stop there with that release to get feedback from people," Morgan said.

In October, the company plans to release the core Harvester engine, the code that provides for realtime data collection from host systems, network infrastructure systems and security devices such as firewalls and intrusion-detection systems. The Harvester engine consolidates the information into a database.

The first code release of Harvester also will include a plug-in module for archiving of data. A second release scheduled for December will include bug fixes and an enhanced installation process.

Harvester is based on open-source tools OpenBSD, Linux, MySQL, Apache, PHP, Zope, Perl, Python, Sabernet, JpGraph, Snort, Nessus and Whisker.

Morgan said it may take three to six months from the initial release of Harvester before it can be easily installed. That could open implementation opportunities, but farm9 hopes to make the technology simple to use, he said.

But while farm9 sees open source as the road to opportunity, other security providers are skeptical.

Security is a dynamic process, and open-sourcing doesn't guarantee the software will stay current, said Darwin Herdman, CTO of RedSiren, a security services firm based in Pittsburgh. RedSiren puts continuous research and development efforts into its proprietary security operations software to ensure it's up to date with current threats, Herdman said.

By open-sourcing software, farm9 appears to be avoiding the expensive quality control and testing costs associated with making the software commercially available, Herdman said.

Paul Proctor, founder and CTO of Practical Security, a security solution provider based in Rancho Santa Fe, Calif., said farm9's open-source project "sounds like a wonderfully novel idea to get your products out there," but added that open-sourcing is a risky business venture.

Morgan said farm9 had considered turning the software into a shrink-wrapped commercial offering and venture-capital firms had inquired about that possibility.

The problem with the shrink-wrapped security operations center approach is the huge development and support burden and the fact the product would be expensive, making it hard to sell to many customers, Milliken said.