BOSTON - In conference sessions and hallway discussions at LinuxWorld Expo last week, open source users swapped strategies for hardening Linux servers and building open source applications that can repel hackers, stand up to regulators and survive the scrutiny of intellectual- property lawyers.

One company betting the server farm on open source is AthenaHealth, a company in Watertown, Mass., that processes insurance claims and manages information for small medical practices and large hospitals. The company has built a large extranet application based on Linux servers running Oracle, Apache Web Server and a modified version of the open source SugarCRM application.

"Open source doesn't really increase our security risk; our risk is quite large for plenty of other reasons," said AthenaHealth CTO Bob Gatewood, whose company stores 15 million medical records, as well as Social Security and credit card numbers for the patient data it manages.

Gatewood delivered a keynote speech at the conference, which drew about 8,000 attendees and 150 exhibitors.

LinuxWorld 2006
Catch up on all the news from the show.

"It doesn't make a difference if your infrastructure is open source or not," Gatewood said. "The security issues with proprietary software are pretty well publicized, but I don't think in general there are any fewer security holes in open source stuff. . . . Keeping the network secure comes down to our testing process."

When developers want to use a new open source module, the software is deployed in a test network where its behavior is studied, and it is put though security and quality-assurance testing. This process is in place to handle any open source legal and technical risks.

"This triggers a process where we take a look at the license and give it to our lawyers, and our release engineers take a look at the code to determine if it's safe," he said.

About the intellectual-property aspects of open source, Gatewood said, "we have to look at what [open source] we're using. Our lawyers are very much interested in keeping track of what modules and licenses we use, whether it's [General Public License] or something else." Because AthenaHealth does not make major modifications to the open source software it uses, issues of violating open source licenses by tinkering with code are not much of a factor.