Is open source software bad for business?

Davey Winder
Monday, 21 July 2008 16:47

Business IT - Open Source

One security outfit which conducted a study into the use of open source software in the enterprise, the results of which are published today, seems to think so.  It states that "Open Source Software (OSS) development communities have yet to adopt a secure development process and often leave dangerous vulnerabilities unaddressed."

New data from Fortify Software suggests that the rising adoption of open source software within the enterprise is putting the average business at far greater risk than it should.

The Open Source Security Study has just been published and reveals that some of the most widely-used open source software used within the business environment are leaving users exposed to a "significant and unnecessary business risk."

As well as insisting that OSS development communities do not adopt a secure development process that follows software security best practise, and therefore often leaves potentially dangerous vulnerabilities unaddressed, Fortify goes on to charge that "nearly all" such OSS communities are also failing to provide users access to the kind of security expertise that could help remedy the vulnerabilities and risks that remain.
 
The survey, which was undertaken by application security consultant Larry Suto, looked at a total of just 11 of the most common Java open source packages. The evaluation of security expertise and that all important secure development process metric, was done by Fortify which claims it "interacted with open source maintainers and examined documented open source security practices" as well as downloading and scanning multiple versions of each package looking for vulnerabilities using a static analyser. Security-sensitive areas of code were also scanned manually.

What does the former cyber security advisor to the White House have to say about open source software vulnerabilities? All will be revealed on the next page...

CONTINUES