Study: Open Source Software Exposing Companies To Security Risk
Fortify Software Inc. recently released its Open Source Security Study which reveals that the most widely-used open source software packages for the enterprise are exposing users to significant and unnecessary business risk.
The study validates that Open Source Software (OSS) development communities have yet to adopt a secure development process and often leave dangerous vulnerabilities unaddressed. Additionally, the study found that nearly all OSS communities fail to provide users access to security expertise to help remediate these vulnerabilities and security risks.
"Open source software can be another valuable option in today's corporate enterprises, but, just as with commercial software, vulnerabilities in software should be a point of concern for CIOs who depend on open source software to run their business," said Howard A. Schmidt, former cyber security advisor to the White House. "This is an endemic issue that starts in the open source community, and while open source software faces the same vulnerabilities as commercial or in-house developed software, the mechanisms to test and analyze software code need to be done with great rigor in open source communities to influence a secure development process."
The survey, sponsored by Fortify Software and completed by leading application security consultant Larry Suto, examined 11 of the most common Java open source packages. In order to evaluate the security expertise offered to users and to measure the secure development processes in place in OSS communities, Fortify interacted with open source maintainers and examined documented open source security practices. Additionally, multiple versions of each package were downloaded and scanned for vulnerabilities using Fortify SCA. Manual scanning was also executed on security-sensitive areas of code.
Increased enterprise adoption of open source is evidenced by reports from a number of leading analyst firms, including Gartner, which recently reported that by 2011, 80 percent of commercial software will include elements of open source technology.
Additionally, an April survey from CIO reported that more than half of its respondents are using open source applications in their organizations today. A recent report from Forrester Research noted that for over 88 percent of respondents, security of open source software was an important concern.
Although enterprise adoption of OSS has steadily increased, little has been done within the OSS community to implement enterprise-worthy application security measures. As a result of the survey, Fortify recommends that enterprises should follow the example of financial services companies in applying risk and coding analysis techniques to their open source software. "
Most open source communities do not follow enterprise-level change control standards," says Jennifer Bayuk, independent security consultant and former CISO of Bear Stearns. "There is a hidden cost for the enterprise in using open source because they have to test and patch for security bugs they don't anticipate."
"Today's enterprises are built and operated by software that comes from a variety of sources," commented Roger Thornton, founder and CTO of Fortify Software. "The software could be developed in-house, purchased off-the-shelf, outsourced, or as we're seeing more often, based on open source. In order to mitigate the business risk created by insecure applications, it is imperative that companies adopt a process that allows them to assess, remediate and prevent security vulnerabilities in all of their business software, whatever the source."