Open Source adoption 'putting businesses at risk'
Widely-used Open Source enterprise software packages are exposing users to ‘significant and unnecessary business risk’, claims a report by Fortify Software. Its 'Open Source Security Study' validates that Open Source Software development communities have yet to 'secure' development processes, and leave ‘dangerous vulnerabilities’.
The study, authored by security consultant Larry Suto, says that ‘nearly all’ OSS communities ‘fail to provide users access to security expertise to help remediate these vulnerabilities and security risks’. It examined 11 of the most common Java Open Source packages.
To evaluate the security expertise offered to users and to measure the secure development processes in place in OSS communities, Fortify interacted with Open Source maintainers, and examined documented Open Source security practices.
Additionally, multiple versions of each package were downloaded and scanned for vulnerabilities using Fortify SCA (the static analyser found in Fortify’s security suite, Fortify 360). Manual scanning was also executed on security-sensitive areas of code.
“Open Source software can be another valuable option in today’s corporate enterprises, but, just as with commercial software, vulnerabilities in software should be a point of concern for CIOs,” said Roger Thornton, founder and CTO of Fortify Software. “This is an endemic issue that starts in the Open Source community, and while Open Source software faces the same vulnerabilities as commercial or in-house developed software, the mechanisms to test and analyze software code need to be done with great rigor in Open Source communities to influence a secure development process.”