Open source software fails in security

Open source software fails in security

By SiliconIndia   |   Monday, 28 July 2008, 09:59 Hrs
Printer Print Email Email
Bangalore: The most widely-used open source software (OSS) packages for the enterprise are exposing users to significant and unnecessary business risks.

According to a survey sponsored by Fortify Software and completed by an application security consultant Larry Suto, the open source software development communities so far didn't adopt a secure development process and often leave dangerous vulnerabilities unaddressed. And also, nearly all OSS communities fail to provide users access to security expertise to help remediate these vulnerabilities and security risks.

"Open source software is an Achilles' Heel in today's corporate enterprises, and should be a significant concern for CIOs who depend on open source software to run their business," said Howard Schmidt, former cyber security advisor to the White House and (ISC)2 Board Member. "This is an endemic issue that starts in the open source community, and while open source software faces the same vulnerabilities as commercial or in-house developed software, the mechanisms aren't as prevalent in open source communities to influence a secure development process."

The study examined 11 of the most common Java open source packages. In order to evaluate the security expertise offered to users and to measure the secure development processes in place in OSS communities, researchers interacted with open source maintainers and examined documented open source security practices. Additionally, multiple versions of each package were downloaded and scanned for vulnerabilities using Fortify SCA (the static analyzer found in Fortify's security suite, Fortify 360). Manual scanning was also executed on security-sensitive areas of code.

Though enterprise adoption of OSS has steadily increased, little has been done within the OSS community to implement enterprise-worthy application security measures. The study recommends that enterprises follow the example of financial services companies in applying risk and coding analysis techniques to their open source software.

The study also recommends enterprise raise security awareness within open source development communities and emphasizes the importance of preventing vulnerabilities upstream. Enterprise security teams should also articulate their security requirements to open source maintainers to accelerate the adoption of secure development lifecycles, the study suggests.

Write your comment now
Submit Reset