Hi Steve,
There are a few advantages in a proprietary solution.
1) There is an inherient (additonal) buffer of security because the source code of the implementation is not readily downloadable. The Software provider serves as a check and balance to qualify that the recepient is an entity which can be identified. Given that the blueprints for the code are not easy available to parties that are not identifiable this limits exploit and vulnerablity experimentation.
2) The expense is minimal when you consider the impacts such as heartbleed can have to your product and customers. In most cases I would say that the price range for a commercial solution is around 5K-20K depending on the use senario and scope or utilization of support that your organization requires. Taking an Open Source implementation of OpenSSL, massaging it to your use parameters, and then maintaining it is not - (free), contrary to popular believe.
3) Many of the commercial solutions focus on size and performance. This may not be an issue for you depending on the device or implementation, but many of the connected devices for IOT/M2M simply do not have loads of memory available to waste. here there is also a cost savings which is hardware related.
4) Many of the arguments that I've seen for OpenSSL are a bit challenging to wade through. There's a good deal of theroitical input for the values of open source development, however you have identified the key point. Regardless, you have a single source small organization that is responsible to activly work on the project and maintain a distribution of OpenSSL. I'm not anti-open source either but for this particular security feature I personally feel that a commercial implementation is a smart solution.
5) Commercial software providers often license their products with indemnification and thus you have a for profit commercial entity taking responsiblity with repercussion that their continued ability to sustain revenue is at stake.
6) One of the areas that caused heartbleed to be so 'catostrophic' was the wide spread use and utilzation of OpenSSL. I would venture to say that most of the 2/3's world implementations didnt question adoption as you are doing now. Commercial solutions offer variety. Those companies that did not use OpenSSL were not effected.
JShima
= new reply since forum marked as read
