Forgot your password?
typodupeerror
Software

Study Says Open Source Software a Security Risk 86

Posted by CmdrTaco
from the sky-is-falling dept.
chareverie writes "Fortify Software released a study where they concluded that open source software poses a large security risk to corporations who have implemented it. They reason this by stating that the fault lies within the open source communities and their failure to adhere to minimum security practices. Fortify Software studied 11 open source software packages, where the application server Tomcat was determined to be the best. The other 10 were found to have poor results, with those being Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts. Jacob West, manager of Fortify's research group, reminds that purpose of the study was 'not to condemn open source software, but rather to point out that the security practices need to improve because open source adoption by enterprises and governments is growing.'"
This discussion has been archived. No new comments can be posted.

Study Says Open Source Software a Security Risk

Comments Filter:
  • ZOMG!!! (Score:5, Interesting)

    by clang_jangle (975789) * on Monday July 21, 2008 @06:23PM (#24281291) Journal
    Wait, so you're saying a vendor of proprietary security software [fortify.com] is criticizing FOSS security?!?
    Why, this is just too much, how will we ever recover? And they even based it on 11 whole OSS projects... Game over!
    • Re:ZOMG!!! (Score:5, Insightful)

      by moderatorrater (1095745) on Monday July 21, 2008 @06:30PM (#24281369)
      Check out some of the things that they're rating it on, too. A lot of their complaints and ratings come from communication and support issues, where most open source software fails. That's why there's a service industry being built up around open source software. You'll also notice that they didn't rate any software that has a big company behind it, like RHEL or MySQL or anything like that.

      That being said, these are valid complaints, and if external support is going to be an issue with your company, then you need to think very carefully about whether open source software is right for you.
      • by 644bd346996 (1012333) on Monday July 21, 2008 @06:58PM (#24281687)

        JBoss is owned by RedHat, so it qualifies as having a major company backing it (at least as much as RHEL does).

      • Re:ZOMG!!! (Score:5, Interesting)

        by betterunixthanunix (980855) on Monday July 21, 2008 @07:00PM (#24281715)
        JBOSS is a division of Red Hat, and Red Hat provides extensive JBOSS support. In fact, JBOSS running on RHEL 5 has a higher security rating than almost every other commercial software package. My guess is that the authors of the article decided to go with the community version of JBOSS, which does not have the support from Red Hat. This is somewhat typical of attempts to make open source packages look bad: talk about enterprise security, then evaluate a non-enterprise package.
    • Re:ZOMG!!! (Score:3, Insightful)

      by snowgirl (978879) * on Monday July 21, 2008 @06:54PM (#24281627) Journal

      Yeah, I looked over most of the projects that they commented about... it's like, um... where are the big names? OpenBSD, Linux, X.org, Apache?

      Like... oh right, if they reviewed high-profile FOSS projects rather than low-band FOSS projects, they'd come out with different results...

      TRASHBIN!

      • Re:ZOMG!!! (Score:0, Troll)

        by Anonymous Coward on Monday July 21, 2008 @08:01PM (#24282311)

        The study is crap, but the software listed isn't.

        JBoss and most of the others in the list is the major players in open source enterprise solutions.

        JBoss is used in a large and fast growing number of major enterprise systems around the world.

        Red Hat have world class global support for JBoss and the other technologies they support.

        Java is becoming a integrated part of Open Source just like Linux, Apache, and X.org. The next versions of Ubuntu, Debian, Fedora, RHEL, and so on will have a record number of quality Java packages.

      • by scott_karana (841914) on Monday July 21, 2008 @08:23PM (#24282535)

        They were only reviewing application servers, blame the article summary.
        Though incidentally: Tomcat and Geronimo are the Apache Foundation's, and JBoss is Red Hat's. Big enough names?

    • by Anonymous Coward on Wednesday July 23, 2008 @07:54AM (#24302049)

      it is funny how "commercial software" vs "freeware" issues are always presented as if they were issues on "open source" vs "proprietary"

      both open source and proprietary can perform good or bad depending on if they are commercialized done by proffecianals or freeware done by hobbiests

  • What we use (Score:2, Insightful)

    by Anonymous Coward on Monday July 21, 2008 @06:24PM (#24281297)

    Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts

    While we use tomcat, thankfully we don't use any of the others (in fact, I haven't even heard of several of them). As an example, we use Alfresco as our cms. If it ever caused security concerns, we could switch to a different open source cms. This would probably be quite a bit tougher if you were stuck with a single closed source package (and good luck finding out which "minimum security practices" a closed source vendor uses).

  • by MostAwesomeDude (980382) on Monday July 21, 2008 @06:29PM (#24281349) Homepage

    Tomcat and OpenCMS, to be specific. And I don't use any of them.

    This might be interesting news to me if they found problems with: Apache 2, PHP 5, Wordpress, Gallery 2, or Python 2.5, which is basically what my site runs on.

    And yes, I know there's security problems with PHP and Wordpress. I'm just pointing out that they aren't targeting more popular software; wonder why?

    • by jd (1658) <imipak&yahoo,com> on Monday July 21, 2008 @06:35PM (#24281425) Homepage Journal

      JBoss is not widely used. Struts is, Hibernate mostly is... However, the underlying problem is that these are ALL middleware packages. Is the study claiming that the middleware is faulty? Or that the apps other people write on top of that middleware has issues? If it's the apps, then the middleware is likely blameless. Even if it is the middleware, why isn't the app filtering out erronious inputs? And why is the middleware being run in a container with excessive permissions?

      This study manages to tell me one thing: This group has no idea how to perform studies. Even most FUD merchants would do a bit better job of covering the deficiencies in their methods.

      • by Anonymous Coward on Monday July 21, 2008 @07:06PM (#24281781)

        why isn't the app filtering out erronious inputs?

        Obviously a PHP programmer - as only one of those could think that should be necessary.

      • by julesh (229690) on Tuesday July 22, 2008 @06:09AM (#24286529)

        . Is the study claiming that the middleware is faulty? Or that the apps other people write on top of that middleware has issues? If it's the apps, then the middleware is likely blameless. Even if it is the middleware, why isn't the app filtering out erronious inputs? And why is the middleware being run in a container with excessive permissions?

        They appear to be claiming the middleware is faulty. Note that the authors of the report sell a Java-based static analysis tool for detecting the kinds of security fault they're reporting. What proportion of the flaws it has located are actually flaws is kind-of an interesting question. If it's analysing middleware, it probably depends heavily on how the middleware is used, and chances are some of these supposed flaws are pretty unlikely to be encountered in real production code.

        Here's an example I can imagine:

        When an exception occurs in a servlet and it's configured to do so, Tomcat dumps the stack trace to the output web page. Now, it's plausible that the stack trace isn't quoted during output; there would not normally be any need to do so. Now imagine I create a servlet that produces and executes bytecode containing a method with a name specified by a user. Because it isn't going through a compiler, I suspect you may be able to get away with calling that method '<script>alert("hello")</script>'. This might create an XSS vulnerability, which would (at least from a static analysis tool's perspective) be in the application server's code.

        I imagine this is the kind of tortured thinking that's necessary to see many of these as faults in the middleware.

    • by kesuki (321456) on Tuesday July 22, 2008 @01:09PM (#24291413) Journal

      a wordpress vulnerability is nominated for the pwnies.

      it's probably patched, but not everyone uses the latest wordpress version, so it's still bad.

      the compromise allowed remote attackers to put any kind of mal-ware distribution site on any vulnerable wordpress site.

      not to mention the horrible debian flaw, dating back to 2006 where a programmer removed 2 critical lines of code, that limited debian to 15-bit keys for all openssl operations! that's about 15,000 keys.

      FOSS is vulnerable to bad flaws, clever hackers can complain about a 'problem' with code, and if they're lucky get a patch put in that makes software vulnerable, easily, and with debian manage to corrupt systems for 2 years.

      more eyes is better, yeah right. I still have hope for linux, because even if one particular distro makes horrible mistakes, you still have the source to work with. not to mention it only costs time to harden a linux system, with windows it costs money.

      • by Anonymous Coward on Tuesday July 22, 2008 @03:58PM (#24294099)

        FOSS in theory is great- if a FOSS app has a critical flaw there is a great incentive to FIX it, fast, or the software will simply be dropped.

        In a proprietary situation (like Windows) flaws are ignored if possible, touted as 'features' if unfixable, and hidden if critical. Those vendors have a vested interest in not only hiding problems, but also in providing support to 'fix' them for the customers. The last thing they want is someone releasing a fix for them- it makes them look stupid and prevents them from claiming that the 'fix' cost so much that they have to charge more, and makes their customers question why they pay for support in the first place.

  • by 14erCleaner (745600) <FourteenerCleaner@yahoo.com> on Monday July 21, 2008 @06:29PM (#24281351) Homepage Journal
    Since Fortify is a security firm, it's obviously in their best interest to have everybody using 100% Microsoft products.
  • by Anonymous Coward on Monday July 21, 2008 @06:37PM (#24281443)

    How can you expect decidedly anti-corporate open source to have decidedly corporate security regimes?

    There WILL be vulnerabilities, but at least you MIGHT know about them in time to do something.

    This is a HR problem for said organizations.

  • by fractic (1178341) on Monday July 21, 2008 @06:44PM (#24281501)
    This study doesn't show OSS is a risk at all. They forgot to compare it with proprietary software. Without such a comparison you can't tell wether OSS is worse. For all I know 10 out of 11 proprietary software packages would have issues too.
  • in other news... (Score:4, Insightful)

    by erbbysam (964606) on Monday July 21, 2008 @06:44PM (#24281507) Homepage
  • by nategoose (1004564) on Monday July 21, 2008 @06:45PM (#24281511)
    Research has shown that closed source software poses security risks.
  • by unity100 (970058) on Monday July 21, 2008 @06:48PM (#24281551) Homepage Journal
    do i have to give out any examples ? how long does it take microsoft to fix issues and holes with asp, or windows ?
  • Judge for yourself (Score:5, Interesting)

    by UnknowingFool (672806) on Monday July 21, 2008 @06:49PM (#24281569)
    Maybe the story wasn't reported right but here is a list of their issues with open source:
    • No easy access to security information on Web sites for security experts
    • No confidentiality of security issues vs general bugs.
    • No specific contact for security issues.
    • Lack of response from contacts
    • Don't provide the same level of service that commercial products offer.

    I'm not an expert on open source and security but I get the feeling that the authors judged open source software based on closed source standards. They author complain that disclosing security issues with general bugs was a problem. Did the author not understand that full disclosure is one of the tenets of open source? The last gripe is that the service wasn't the same with lack of contacts and responses. Judging by the summary it appears that the author just monitored the community forums. Did the authors even pay for support? When you pay for software and support, you should get it. When you don't pay for software or support, why should you deserve service?

    • by P51mus (1266460) on Monday July 21, 2008 @07:02PM (#24281733)

      But, if you don't twist the truth and scream that the sky is falling, that's not a news story!

      Can you imagine a story: "Open source software working as intended"?

    • by jrumney (197329) on Tuesday July 22, 2008 @04:53AM (#24286061) Homepage

      Many of the projects they evaluated are Apache projects. The Apache Foundation has a private list for security bugs (security AT apache.org) so their complaints on that basis are unjustified for those projects at least. And I would be very surprised if they found security bugs in all of those projects in order to test the responsiveness of the developers, so I guess they sent some random mail that was probably justifiably discarded as spam.

    • by rtb61 (674572) on Wednesday July 23, 2008 @05:08AM (#24300737) Homepage
      I can't see how you can fail to understand how full disclosure of faults represents an extreme risk, well, to profits at least. You just can't be having them customers know all about how insecure their security software really is, other wise why would they be paying you?
      • by UnknowingFool (672806) on Thursday July 24, 2008 @01:20PM (#24321333)
        First, the author did not appear to be a paying customer. At best, they were non-paying customers or users. Second, we are talking about open source here not closed source. Up front, they have already given you (and the rest of the world) the source code whether you are a paying customer or not. Now, I would say that security issues might not be disclosed right away to give the coders time to fix important issues, but to not disclose at all would go against the fundamental nature of open source. After all, someone else could find the same bug and exploit it but you wouldn't know because the software maker kept quiet about it.
  • by mysidia (191772) on Monday July 21, 2008 @06:51PM (#24281587)

    Closed source/propetiary software doesn't adhere 100% to industry "best" practices, such as providing a prominent link to security information on their Web site either.

    It's just not as easy to see where closed source is lacking, because, well: you don't have the source to conduct research into the security flaws.

    If the source was not public, you in many cases, would have never known that X practice wasn't being followed by certain elements of the software.

    Closed software can ignore practices whenever convenience, and since the source is closed, they are all but immune to this type of analysis.

    A true comparison requires actually obtaining the source to proprietary software and using that to its full advantage to find security flaws.

  • Blah blah blah (Score:3, Insightful)

    by Aphoxema (1088507) on Monday July 21, 2008 @06:51PM (#24281595) Homepage Journal

    Studies also conclude that lunixes is a big intellectual IP property ripoff doomed to failure, laptops will completely replace desktops in ten years, and piracy is a really big problem that's sending business after business into bankruptcy.

    It's wonderful how you can release any anecdotal evidence from a limited perspective as a marketable 'study'.

    I'm releasing a study on how interest groups posing as reputable and productive companies pass bullshit around like the flu.

  • by betterunixthanunix (980855) on Monday July 21, 2008 @06:52PM (#24281607)
    That list is a bunch of unrelated packages. Hibernate is not an application server, it is an ORM. OFBiz is an automation framework that runs on top of an application server. Hipergate is a collection of various web apps that run on an application server.

    They also forgot to have a proprietary package -- so the comparison is between open source packages. They might as well say, "Proprietary software poses a security risk. We've evaluated .NET, Matlab, and Age of Empires."
  • WTF (Score:3, Funny)

    by imaniack (638051) on Monday July 21, 2008 @06:53PM (#24281623)
    Don't they know OSS is PERFECT in every possible and imaginary way!!!! :)
  • by gawiedeboef (940586) on Monday July 21, 2008 @06:54PM (#24281635)
    yes why don't we all dev software behind closed doors and pray nobody find the holes....like Diebold
    Why don't the closed source company's show us there code are they afraid we will see it's all half-assed security...
    Closed source is based on lies!!!
  • by Anonymous Coward on Monday July 21, 2008 @06:56PM (#24281667)

    Is obviously to do a study on software no-one's EVER heard of.

    Well, that's not true, I've heard of tomcat, the most secure thing there, what a surprise.

    How about they study software people actually use? Like Linux, Apache, Python, PHP etc.

    I wonder if it's because the last times studies were done on those it was found that they were far more secure than closed source software, in a US GOVERNMENT FUNDED STUDY

    • by Darkness404 (1287218) on Monday July 21, 2008 @08:28PM (#24282591)

      I wonder if it's because the last times studies were done on those it was found that they were far more secure than closed source software, in a US GOVERNMENT FUNDED STUDY

      The problem with that is you think that the government is going to be unbiased. Granted, the government isn't on the payrolls of Red Hat or Microsoft, but wouldn't it be in the government's best interest to use open source software that is a lot easier to audit and a ton cheaper? I'm not saying that they are wrong, but the government does have a lot of reason to mess with the statistics to their own favor.

      • We don't really know which way they're going to be biased, though. They could swing for closed source (if Microsoft's lobbists are going on a spending spree this week) or for open source (if it's Red Hat lobbists turn to do the same). The US government is also easily big enough to produce conflicting information due to different departments working on the same problem.

        However, I maintain that the funding of the study is ultimately irrelevant. If the method is correct, and the data is correct, and the logic is correct, then the conclusions should be correct. If bias has an effect, you should be able to find it within one of those factors. If you can't find it, then repeat the study and see if you get the same results. If you do get the same results, and the majority of other studies get the same results, then the conclusion should be accepted. The scientific method is good at rooting out bias like that.

        As for this study, the article seems to indicate that it mostly revolves around there not being a single point of communication for security on these projects, and security is treated through the same channels as general bugs. The benefits of hiding security info until after a patch is released is hardly a settled issue in the security community, and FOSS in particular will tend to err on the side of transparency. It's more of a nitpicky point than anything fundamentally wrong.

    • by julesh (229690) on Tuesday July 22, 2008 @06:15AM (#24286575)

      Is obviously to do a study on software no-one's EVER heard of.

      To be fair to the report's authors, if you're a Java web app developer (which is their target audience, as they're trying to sell a Java web app security analyzer) you probably recognize most of these projects. Derby was the only one I didn't know.

  • by denmarkw00t (892627) on Monday July 21, 2008 @07:02PM (#24281741) Homepage Journal
    1. The first post, ZOMG!, has some excellent points.
    2. It's open source. Hackers and crackers alike are prepared to face any challenge, from sifting through sets of instructions to exposing and photogrpahing [hackaday.com] the inner workings of silicon. Almost anything employed as security can be reverse engineered, and while steps can certainly be taken to tighten security in open-source software, having the source available for study certainly would help anyone hoping to find flaws. I'm not trying to suggest that OSS is naturally easier to get into (case and point: Windows), but I thought it was kind of obvious that it lacks the "protection" of security through obfuscation, which is really just hoping that your secrets stay secret - but it helps.
  • Where to start... (Score:5, Informative)

    by d3ik (798966) on Monday July 21, 2008 @07:03PM (#24281747)

    FTFA:

    Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 open source software packages examined.

    The projects in question:
    Tomcat, Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts.

    For those who don't play in Java often:

    Derby is an embedded database.
    Tomcat, Geronimo, JBoss, Resin and JOnAS are Java (EE) app servers.
    Hipergate and OpenCMS are (you guessed it) content management systems.
    Hibernate is a persistent framework.
    Struts is a web framework.

    So of any of these, it seems that the only projects that would be open to XSS or SQL injection would be the CMS products. Unless they're referring to the web administration for the app servers?

    The only way to have SQL injection attacks in javaland is if you're not using prepared statements or if your database driver isn't preparing/escaping properly.

    So they're saying two CMS projects have tens of thousands of XSS and SQL injection vulnerabilities?

    • by hardburn (141468) <hardburn@@@wumpus-cave...net> on Monday July 21, 2008 @09:46PM (#24283295)

      I wonder how they're counting. They quote says across "multiple versions". Are they giving multiple counts for a single vulnerability that exists in multiple versions?

    • Re:Where to start... (Score:5, Interesting)

      by julesh (229690) on Tuesday July 22, 2008 @05:55AM (#24286401)

      FTFA:

              Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 open source software packages examined.

      The projects in question:
      Tomcat, Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts.

      For those who don't play in Java often:

      Derby is an embedded database.
      Tomcat, Geronimo, JBoss, Resin and JOnAS are Java (EE) app servers.
      Hipergate and OpenCMS are (you guessed it) content management systems.
      Hibernate is a persistent framework.
      Struts is a web framework.

      So of any of these, it seems that the only projects that would be open to XSS or SQL injection would be the CMS products. Unless they're referring to the web administration for the app servers?

      The only way to have SQL injection attacks in javaland is if you're not using prepared statements or if your database driver isn't preparing/escaping properly.

      So they're saying two CMS projects have tens of thousands of XSS and SQL injection vulnerabilities?

      You're just on the edge, I suspect, of the reason they didn't get good responses from the maintainers of the code for the "vulnerabilities" they reported. That's because, in most cases, they probably weren't vulnerabilities. The authors of the report are the producers of a static analysis tool that -- you guessed it -- detects potential XSS and SQL injection vulnerabilities. Of course, it (like all such tools) has a very high false positive rate.
      In the case of code that automatically generates SQL code algorithmically (not using hard-coded prepared statements, for example) like Hibernate, or generates HTML code algorithmically (like, say, pretty much any JSP implementation or templating language), the number of false positives is going to be huge.

      Any bets they didn't bother stripping out those false positives before reporting the "vulnerabilities"?

    • by Anonymous Coward on Tuesday July 22, 2008 @06:22AM (#24286631)

      FTFA:

      Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 open source software packages examined.

      Note this:

      associated with multiple versions of the 11 open source software packages examined.

      How about testing oh, maybe the last version released?

  • by Anonymous Coward on Monday July 21, 2008 @07:43PM (#24282137)

    "Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 open source software packages examined. "

    By multiple versions, do you mean they summed the bugs found across all versions released, so a program in version 1.23 which fixed a SQL injection in 1.22 gets nailed for it in 1.1, 1.2, 1.3... 1.22?

    This just in: releasing more versions multiplies the storage space required to store all versions of the software, thus Windows, with its 6-7 versions has a tiny footprint when compared to a monolith like Linux with its 26 bloated 2.6 kernels (we'll be kind and not even count the 2.4 ones). Everyone should move to Windows (study sponsored by a not-fully-owned-subsidiary-of-Microsoft

  • Java/Apache heavy? (Score:4, Insightful)

    by VGPowerlord (621254) on Monday July 21, 2008 @08:10PM (#24282411)

    Is it just me, or is this survey extremely Java heavy?

    Not only that, but there are a good number of Apache projects in particular... Apache Tomcat [apache.org], Apache Geronimo [apache.org], Apache Derby [apache.org], Apache Struts [apache.org]...

    • by Asher (88052) on Monday July 21, 2008 @09:00PM (#24282931)

      AIRC, The Fortify folks sell tools that do security auditing (static analysis) of Java code. So my money is on observers bias.

      Not paying much attention to the Web Services arena, are these some of the most popular Java projects?

      - ash

      • by VGPowerlord (621254) on Monday July 21, 2008 @09:31PM (#24283173)

        I've only used Tomcat. The others I've only run across while looking up information at work.

      • by jrumney (197329) on Tuesday July 22, 2008 @05:12AM (#24286145) Homepage

        Not paying much attention to the Web Services arena, are these some of the most popular Java projects?

        I don't know how much traction Geronimo or Derby have got now, but Struts, Hibernate, Tomcat, and JBoss are very popular, Resin and Jonas less so. The others I haven't heard of, but judging by their names OpenCMS and OFBiz are probably a bit outside my field so may be popular within their own field, and hipergate sounds like it might be a fork of hibernate, but a quick google shows it is actually a CRM server, again outside my field.

      • by julesh (229690) on Tuesday July 22, 2008 @06:02AM (#24286471)

        Not paying much attention to the Web Services arena, are these some of the most popular Java projects?

        Yes. Judging by the recruitment adverts I see, Tomcat+Hibernate+Struts is probably the most common combination of server & frameworks for new Java-based web projects right now. The others are pretty close, though. I'm surprised they missed out Spring, but that's a more generic and not web-biased framework. Also, it's probably not particularly susceptible to static analysis, as it does most of its work via runtime code generation, I believe.

    • by jrumney (197329) on Tuesday July 22, 2008 @04:59AM (#24286083) Homepage
      I suspect the survey is Java heavy so that the anonymous sponsor can pull it out again to put down Java (again without actually providing the data from their own competing platform for comparison, in order to remain anonymous).
    • by dwheeler (321049) on Tuesday July 22, 2008 @10:49AM (#24289293) Homepage Journal

      Yes, it's Java-heavy. The study author sells a proprietary static analysis tool for Java. So the Java bias is understandable, but their title should have made it clear that they were only analyzing a few Java programs, and not a representative sample of major OSS projects. They also ignored the enterprise support options for these programs, which is completely unjustifiable.

      I think its Java bias matters. Until very recently, most Java programs required Sun's proprietary Java implementation. The FSF and others warned of the Java Trap [gnu.org] - so a very large proportion of the FLOSS community has actively ignored these Java programs. Sun has recently released most of its Java implementation as FLOSS, and the most recent versions of Fedora and Ubuntu have now integrated it (through Debian hasn't), so I think we'll start to see more cooperation in Java projects.

      They made three claims, let's take a look at them...

      "Failure to Provide Access to Security Expertise... [aka] documentation that covers the security implications and secure deployment of the software they develop, a dedicated email alias for users to report security vulnerabilities, or easy access to internal security experts to discuss security issues". Odd, they seem to be ignoring the enterprise versions (e.g., Red Hat sells JBOSS support); that doesn't seem to be a fair methodology. Their demand for a "dedicated email alias" and "easy access to internal security experts" shows that they fail to understand that some people want totally open discussions, which these projects do support. They may not LIKE that, and actually I'd agree with them, but claiming that there's NO way to report vulnerabilities or to talk with developers seems fundamentally mistaken. I agree with them that documentation about security needs improvement, though I don't see any evidence that FLOSS is worse than proprietary on that count.

      "Failure to Adopt a Secure Development Process... In virtually every project analyzed, there were a significant number of security issues that went unaddressed over three generations of releases...". It's not clear what these "issues" were. Were these REAL issues, or just reports from a static analysis tool? I wish they'd gone more into this, it's hard to say this is really true or not given their report. Often static analysis tools' reports have LOADS of false positives. As a result, it's hard to see if this is real or not.

      "Failure to Leverage Technology to Uncover Security Vulnerabilities: The number of security issues identified in the study - especially in the most popular open source packages - was surprising...". Again, not surprising if what is being measured is raw unanalyzed tool output. It could be that every single "vulnerability" is a false positive (not an uncommon result, unfortunately). I would agree with them that I'd like to see more projects use more tools, but a lot of FLOSS projects do use tools. For example, the Linux kernel developers ended up creating their own static analysis toolsuite because tools are normally designed to analyze applications, not kernels.

      The claim that this is representative of FLOSS is unfounded, since it only considers a few Java programs and ignores their enterprise support options (which is what you'd use for an enterprise!). I really wish they'd explained what they meant by issues; the problem of tool false positives is very well known, and I don't see that they really addressed that.

      The original said: "Government and commercial organizations that leverage open source should use open source applications with great caution. Risk analysis and code review should be performed on any open source code running in business-critical applications...". Um, let's try: "Government and commercial organizations that leverage software should use software with great caution. Risk analysis and code review should be performed on any software running in business-critical applications..."

  • by Dracos (107777) on Monday July 21, 2008 @08:13PM (#24282449)

    This is a weak article about a specific set of open source projects designed to keep CIO's and CTO's from jumping off the Windows turnip truck.

    FUD... it's what's for dinner.

  • by Mystery00 (1100379) on Monday July 21, 2008 @09:00PM (#24282925)

    On other news studies show that most studies are biased and wrong.

    Can you feel that? The universe just imploded.

  • by Anonymous Coward on Monday July 21, 2008 @09:06PM (#24282997)

    News Flash: researchers have released a study demonstrating that studies can conclude whatever you want them to conclude.

  • by fatp (1171151) on Monday July 21, 2008 @09:26PM (#24283137) Journal
    According to the article, the biggest security risk of Open Source Software is the lack of a support hotline number.
    • by tinkertim (918832) on Tuesday July 22, 2008 @12:30AM (#24284545) Homepage

      I got that impression too. Have you ever tried calling Microsoft support? By the time you actually get a qualified person to answer your question, you could have received 2 - 3 responses on a OSS project's forum or mailing list.

      Another interesting thing that I saw the study fail to mention, there are many OSS projects that clearly state on their web site "This is not yet production quality, use at your own risk" .. yet anyone selling something new would not dare to issue such a warning.

      I really feel like the study is rampant FUD that hopes to be viral so that the authors can place themselves in some sort of authoritative role.

      I'm actually a little shocked that Network World even ran the story.

  • by bug1 (96678) on Tuesday July 22, 2008 @12:08AM (#24284317)

    "security practices need to improve because open source adoption by enterprises and governments is growing"

    So these fortify people think security has to improve not because of the adverse effects it can have on users at large, but specifically because of the adverse effects on enterprise and government.

    Oh yea, thats the reason i donated my time the open source community, to help enterprise and government. After all, they are all about helping the people. I never did it to try help the little bloke. /sarcasm

  • by rew (6140) <r.e.wolff@BitWizard.nl> on Tuesday July 22, 2008 @02:20AM (#24285297) Homepage

    Have you voted yet? Apparently, about 80% of the readers of that article "doesn't get it", and votes the opposite of what the article is trying to push across....

  • by Joker1980 (891225) on Tuesday July 22, 2008 @03:33AM (#24285695)
    Some asshat in a big office thinking to himself, "how can something written by lots of people in a community be more secure than something written by lots of people in a corporate HQ". The problem is not open source, i dont nessecaraly think its a propriatry problem either. Its absoulutly clueless people pulling 6 figure salaries making infrastructure desicions based on nothing more than what they "KNOW" to be true.
  • by Anonymous Coward on Tuesday July 22, 2008 @12:02PM (#24290297)

    is supplied by these bastards. Looks like they run a very unethical shop all the way. Bet they're swimming in dirty dollars.

  • by Vexorian (959249) on Tuesday July 22, 2008 @02:06PM (#24292363)
    1. Make up your own definition for what good security is.
    2. Pick 10 OSS projects that fail to follow that definition.
    3. Release headline "OSS software a security risk"
    4. ???
    5. Profit! (From whom though?)
  • I'm a DBA for a USAF Enterprise Java app. Recently, we underwent a security audit which involved a Fortify scan.

    What makes this so interesting is that one of the Fortify findings was the lack of full implementation of Struts in the application, which we're in the process of correcting.

    I find it quite funny that they're finding fault with Struts, which they recommend using in their security scans. Ah, Irony. How I love thee.

"The eleventh commandment was `Thou Shalt Compute' or `Thou Shalt Not Compute' -- I forget which." -- Epigrams in Programming, ACM SIGPLAN Sept. 1982

Working...