Tripwire Opens Up "Best of Breed" Security Tool

by David Penn

Security tools maker Tripwire has announced that its flagship product, Tripwire, would be fully open sourced during the third quarter (July, August, September) of 2000. The announcement also included Tripwire, Inc.'s plan to host what they are calling the Tripwire Open Source Project on VA Linux Systems' SourceForge open source development web site, and partnership agreements with Caldera Systems, SGI and Red Hat.

Said W. Wyatt Starnes, president, CEO and co-founder of Tripwire, Inc., "Our decision to create an open source model for our Linux product ... allows us to extend our award-winning integrity assessment capabilities across the thousands of additional Linux enterprises that are playing a key role in today's eCommerce and eBusiness markets."

Tripwire's software works by taking a picture of critical files and sounding the alert when the files change. The changing of the files is the clue that warns the system that possible intrusion is taking place. More information on Tripwire is available in a FAQ. While Tripwire, Inc. is "exploring the use of the GNU GPL", the company stated in a FAQ that it has not decided on licensing as of yet.

In many ways, Tripwire, Inc.'s open sourcing of its Tripwire product is a return to its roots. With origins in academia and the fact that the source code for Tripwire's Academic Source Release (ASR) has been widely available since 1992, Tripwire's move to open source its "significantly enhanced commercial version" is perhaps less dramatic than similar moves by other companies. But one of the especially significant aspects of the Tripwire announcement is that the company is providing source code for its flagship product, as opposed to merely open sourcing older versions of outmoded or even virtually obsolete software. This backhanded open sourcing strategy, unfortunately, has been popular among some companies hoping to earn a little positive open-source karma without exposing their precious proprietary software to the powerful currents of open-source development.

"We are embracing our roots here and see this model benefitting all of our loyal users who have supported us by using Tripwire to build their infrastructures of trust throughout the past eight years," added Mr. Starnes.

But Tripwire, Inc. will be relying on more than just loyalty in continuing to develop its open-source business model. In addition to bundling opportunities with a variety of partners, Tripwire, Inc. plans to put great emphasis on "second order business model development", which means, essentially, commercial products on top of open-source products.

"We are combining the open source, Linux-based Tripwire with an opportunity for the customer to buy other increased functions and value adds in a commercial and binary product," explained Nithya Ruff, Director of Product Marketing for Tripwire. "For example, the customer who has an open source Linux may want a management console to manage his hundreds of servers ... He can purchase the commercial binary product Tripwire HQ Manager and Tripwire HQ Agent for this.

"We are making the infrastructure and engine available with any optional, value added commercial pieces available for purchase by those who need and want them."

Another significant component of the Tripwire announcement is its wide embrace of the Linux industry by forming partnerships with established Linux companies, including Caldera Systems, SGI and Red Hat. These partnerships include co-marketing and co-release of commercial versions of closed-source products to enhance the basic Tripwire product.

Promising to "change the security landscape", Caldera Systems' Ransom Love praised the new relationship with Tripwire, noting that Tripwire will have a baseline configuration with Caldera's eServer product. "We believe in taking the best of open source and integrating commercial products," Mr. Love said during a teleconference. "Tripwire and Caldera are in a unique position where together we can drive and deploy security and a sense of trust from the data center to the desktop."

One of Tripwire's new partners is, in reality, a relatively old partner. Tripwire for Linux has been shipping with Red Hat Linux for the past few releases, and the company is part of Red Hat's ISV program. Said Paul McNamara, general manager of the enterprise business unit for Red Hat, "Tripwire was among the first commercial applications to support Red Hat Linux ... and has one of the most well-recognized brands in security."

For their part, Tripwire's new relationship with SGI means the security system will become a part of the SGI Internet Server. Jason Danielson, director of marketing of the broadband and Internet solutions business unit at SGI, also praised the trend of "open sourcing 'best of breed' products", pointing to Tripwire's intrusion detection and integrity assessment abilities as something that will help SGI sell its Internet server to its ISP and ASP customers.

Tripwire was originally developed for the Computer Operations Audit and Security Technology (COAST) at Purdue University in Indiana. Available in C source code form, Tripwire has been available commercially since January 1999. Locations for downloading the older, pre-commercial version of Tripwire include comp.sources.unix (Usenet), /pub/spaf/COAST/Tripwire (anonymous FTP) and by e-mail. Send an e-mail request to, with "help" in the message body.

Note that the pre-commercial version stores pictures of protected files in open format (as opposed to the encrypted format of the commercial version), which leaves an avenue for crackers to cover their tracks by making a clean file "snapshot" after invading a system.

The company's new moves, which it refers to as "Tripwire everywhere", are to extend the software's integrity assessment beyond the operating system to encompass as much as an entire network--including databases and network devices. While only one of a number of security tools used by UNIX administrators, Tripwire is considered by many to be a significant piece of software when it comes to intrusion detection.

"We want to provide confidence in the infrastructure that runs critical business processes--currently, that means Tripwire instrumenting and monitoring every web server, critical domain server, backend database servers, etc.", added Tripwire founders Wyatt Starnes and Gene Kim. "In the future, we will be shipping other products that help IT and data center managers defend other critical components that enterprise functions hinge around, such as routers and SQL databases.

"Linux is rapidly being accepted as an infrastructure component, and we feel Tripwire can help its acceptance for mission critical functions and is an ideal fit in our strategic roadmap."

Tripwire's increased participation in the Linux security market should also help allay fears that open-source software may somehow be "easier" to crack. To some, the fact that Linux (and UNIX, for that matter) is administered over a network makes the open-source operating system potentially more vulnerable to attacks. Additionally, access to the operating system at the source code level does provide avenues for intrepid crackers.

But openness giveth, and openness taketh away. This same openness and access to the source code means that holes and security flaws can not only be accessed by crackers, but can also be detected, analyzed and fixed by programmers. And the potential number of "fixers" for open-source software is so significantly larger than even the largest possible squadron of paid programmers that, often, open-source software comes up as, at least potentially, more securable in the long term than most proprietary systems.

Tripwire is fresh off a second round of venture capital funding as well, in the form of $9 million from a collection of investors including Bessener Venture Partners, Advanced Technology Ventures, and Kyocera. According to Tripwire CEO W. Wyatt Starnes, the additional funding will help Tripwire expand current product lines and move into new markets.

Additionally, Tripwire opened its first Japanese office earlier this month, offering to help stem the recent tide of cracker attacks on Japanese government web sites.

For more information on Tripwire technology, the following links are provided.

And more information on the Tripwire Open Source project is available at


Load Disqus comments