When embedded systems development teams investigate security tools to include in their devices and applications, open source libraries often seem attractive. There seems to be an open source solution for virtually any security protocol, such as OpenSSL, OpenSSH, and the various flavors of “Swan” IPsec. Such projects are popular, offer lots of optional user-written add-on modules, and—best of all—they are free.

Closer observation, however, reveals that there is in fact ‘no such thing as a free lunch,’ especially when it comes to implementing security in non-PC environments. This paper explores the downsides of using open source security code in production environments, including: hidden costs, such as maintenance and legal liabilities; support issues; and variability of code quality. A solution is proposed that offers optimum security and lowering of the total cost of ownership (TCO).