Forgot your password?
typodupeerror
Software

Study Says Open Source Software a Security Risk 86

Posted by CmdrTaco
from the sky-is-falling dept.
chareverie writes "Fortify Software released a study where they concluded that open source software poses a large security risk to corporations who have implemented it. They reason this by stating that the fault lies within the open source communities and their failure to adhere to minimum security practices. Fortify Software studied 11 open source software packages, where the application server Tomcat was determined to be the best. The other 10 were found to have poor results, with those being Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts. Jacob West, manager of Fortify's research group, reminds that purpose of the study was 'not to condemn open source software, but rather to point out that the security practices need to improve because open source adoption by enterprises and governments is growing.'"
This discussion has been archived. No new comments can be posted.

Study Says Open Source Software a Security Risk

Comments Filter:
  • by betterunixthanunix (980855) on Monday July 21, 2008 @06:52PM (#24281607)
    That list is a bunch of unrelated packages. Hibernate is not an application server, it is an ORM. OFBiz is an automation framework that runs on top of an application server. Hipergate is a collection of various web apps that run on an application server.

    They also forgot to have a proprietary package -- so the comparison is between open source packages. They might as well say, "Proprietary software poses a security risk. We've evaluated .NET, Matlab, and Age of Empires."
  • Where to start... (Score:5, Informative)

    by d3ik (798966) on Monday July 21, 2008 @07:03PM (#24281747)

    FTFA:

    Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 open source software packages examined.

    The projects in question:
    Tomcat, Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts.

    For those who don't play in Java often:

    Derby is an embedded database.
    Tomcat, Geronimo, JBoss, Resin and JOnAS are Java (EE) app servers.
    Hipergate and OpenCMS are (you guessed it) content management systems.
    Hibernate is a persistent framework.
    Struts is a web framework.

    So of any of these, it seems that the only projects that would be open to XSS or SQL injection would be the CMS products. Unless they're referring to the web administration for the app servers?

    The only way to have SQL injection attacks in javaland is if you're not using prepared statements or if your database driver isn't preparing/escaping properly.

    So they're saying two CMS projects have tens of thousands of XSS and SQL injection vulnerabilities?

  • by dacut (243842) on Monday July 21, 2008 @07:44PM (#24282147)

    WTF? My team uses Fortify to analyze our Java webapps (compiled on the Sun JDK [slashdot.org] and running on their JRE), which is then deployed to Linux servers running RHEL 5 [redhat.com]. HTTP connectivity for the apps is provided by Jetty [mortbay.org]; the apps themselves connect to Oracle [oracle.com] databases (using C3P0 [mchange.com] for connection pooling).

    With Fortify 4.0, I griped that it provided no value that we didn't already get with FindBugs [sourceforge.net] (for free). The 5.0 release (along with the workbench, which provides better information than the HTML report), however, did catch a few bugs which weren't caught by FindBugs. We now run both tools in our automated Hudson [java.net] builds.

    Where, exactly, are the Microsoft products in the above list?

You can measure a programmer's perspective by noting his attitude on the continuing viability of FORTRAN. -- Alan Perlis

Working...