All the latest UK technology news, reviews and analysis
|
|
|
22 Jul 2008
A study into 11 popular open source applications suggests that enterprises are underestimating the security risks of using the code.
Security vendor Fortify studied the applications, including JBoss and OpenCMS, and found a number of security problems which it partly blames on poor security practices and processes by open source programmers.
"Security best practices are a low priority to the open source projects surveyed," said Fortify's Open Source Security Study.
"Open source packages often claim enterprise-class capabilities but are not adopting, or even considering, industry best security practices. Only a few open source development teams are moving in the right direction."
Mozilla was highlighted as the open source project that took security most seriously, but the report found that many other projects were not building in efficient security in the design and implementation of software.
The report highlighted three features that Fortify considers vital for enterprise software security: proper documentation; access to security coders within the development group; and a clear point of contact for security questions.
Only two of the packages reviewed offered a link to security documentation, three gave access to security coders and only one, Tomcat, had a dedicated security email.
"Most open source communities do not follow enterprise-level change control standards," said Jennifer Bayuk, an independent security consultant and former chief information security officer at Bear Stearns.
"There is a hidden cost for the enterprise in using open source because they have to test and patch for security bugs that they do not anticipate."
The study also looked at the patching lifecycle and highlighted serious concerns with some applications for which patches can take up to a year to be issued. Hipergate's CRM applications faired particularly poorly in this respect.
Latest stories from Open Source
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
Orange and Intel talk us through the ins and outs of their San Diego smartphone
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
Development Manager / PHP Developer / MySQL / LAMP...
Process Expert for Information/Content Management...
SQL Server / SSIS / ETL / T-SQL Data Migration A...
Linux Systems Administrator / Linux CentOS / Network...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Nohing like a white paper to sell products
OK, so Fortify wants to sell more of their software to check for bugs, so they hire a consultant to write a study saying that open source doesn't use Fortify, so it is less secure. Jeez - could they be more self serving?
Posted by: John H 22 Jul 2008
Perhaps Security Companies could work in security better
On the recent release of Firefox 3, within a couple of hours a prominent software company exposed to the world a flaw it had found. The beta and release candidates had been around for ages, yet this company had not chosen to mention this prior to the full release. This was great publicity for the company itself, but the open source philosophy works far better if everybody with the ability to support a project would pitch in with the effort before final releases. That can be the strength of open source. Closed source is hidden, no-one but authorised personnel can see the code, and so those coders won't know if they have made a mistake until release when someone had already paid for it. If security companies want to be a positive part of of the computer industry, they would get more kudos if they could show how proactive and responsible they are by supporting and promoting these free and open projects as members of a community. There is a name for people who wait for people to fall over and then say that one's shoelaces are undone!
Posted by: Ukubuntu 22 Jul 2008
Salesman FUD
The open source development model has produced some of the most secure and robust code in the world. There are even tools available to objectively and quantitative prove the quality of Open Source code (see Aleitha Core review at http://tinyurl.com/64stta). Do you think GCHQ or the NSA would use insecure software - they are both massive users and contributors to Linux.
Posted by: dogStar 22 Jul 2008
Why is this an open source problem?
I suggest a more accurate article, titled: "Enterprises and developers warned of the ongoing failure to take security seriously" To be fair, this study should have focused on more than open source because as other studies have shown, commercial developers are also guilty of setting security low on the list of development tasks. Do not forget a certain popular operating system that does not last an hour on the Internet if practices like firewalls and AV software are not used even though the developer likes to chastise its competition on security. Even when security documentation and best practices do exist, many developers, systems administrators and end users ignore it. Also, it is misleading to infer that open source is not already in widespread use. Maybe on the desktop, open source has a small footprint but it remains dominant within Internet infrastructure and on many enterprise back end servers.
Posted by: Bill R 22 Jul 2008