Study Says Open Source Software a Security Risk 86
chareverie writes "Fortify Software released a study where they concluded that open source software poses a large security risk to corporations who have implemented it. They reason this by stating that the fault lies within the open source communities and their failure to adhere to minimum security practices. Fortify Software studied 11 open source software packages, where the application server Tomcat was determined to be the best. The other 10 were found to have poor results, with those being Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts. Jacob West, manager of Fortify's research group, reminds that purpose of the study was 'not to condemn open source software, but rather to point out that the security practices need to improve because open source adoption by enterprises and governments is growing.'"
What we use (Score:2, Insightful)
Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts
While we use tomcat, thankfully we don't use any of the others (in fact, I haven't even heard of several of them). As an example, we use Alfresco as our cms. If it ever caused security concerns, we could switch to a different open source cms. This would probably be quite a bit tougher if you were stuck with a single closed source package (and good luck finding out which "minimum security practices" a closed source vendor uses).
Re:ZOMG!!! (Score:5, Insightful)
That being said, these are valid complaints, and if external support is going to be an issue with your company, then you need to think very carefully about whether open source software is right for you.
Re:I've only heard of two of those... (Score:4, Insightful)
JBoss is not widely used. Struts is, Hibernate mostly is... However, the underlying problem is that these are ALL middleware packages. Is the study claiming that the middleware is faulty? Or that the apps other people write on top of that middleware has issues? If it's the apps, then the middleware is likely blameless. Even if it is the middleware, why isn't the app filtering out erronious inputs? And why is the middleware being run in a container with excessive permissions?
This study manages to tell me one thing: This group has no idea how to perform studies. Even most FUD merchants would do a bit better job of covering the deficiencies in their methods.
OSS is a risk compared too... (Score:5, Insightful)
in other news... (Score:4, Insightful)
In other security news.. (Score:3, Insightful)
Blah blah blah (Score:3, Insightful)
Studies also conclude that lunixes is a big intellectual IP property ripoff doomed to failure, laptops will completely replace desktops in ten years, and piracy is a really big problem that's sending business after business into bankruptcy.
It's wonderful how you can release any anecdotal evidence from a limited perspective as a marketable 'study'.
I'm releasing a study on how interest groups posing as reputable and productive companies pass bullshit around like the flu.
Re:ZOMG!!! (Score:3, Insightful)
Yeah, I looked over most of the projects that they commented about... it's like, um... where are the big names? OpenBSD, Linux, X.org, Apache?
Like... oh right, if they reviewed high-profile FOSS projects rather than low-band FOSS projects, they'd come out with different results...
TRASHBIN!
Re:I've only heard of two of those... (Score:3, Insightful)
Or a real programmer as any good programmer doesn't particularly care what SHOULD be necessary and only concerns himself with what IS necessary here in the real world.
Java/Apache heavy? (Score:4, Insightful)
Is it just me, or is this survey extremely Java heavy?
Not only that, but there are a good number of Apache projects in particular... Apache Tomcat [apache.org], Apache Geronimo [apache.org], Apache Derby [apache.org], Apache Struts [apache.org]...
Did MS get their receipt for this study? (Score:3, Insightful)
This is a weak article about a specific set of open source projects designed to keep CIO's and CTO's from jumping off the Windows turnip truck.
FUD... it's what's for dinner.
researchers on studies (Score:1, Insightful)
News Flash: researchers have released a study demonstrating that studies can conclude whatever you want them to conclude.
Re:Apples, oranges, or bananas? (Score:4, Insightful)
No, if anything, these packages aren't unrelated enough to get a good cross section of FOSS. They're mostly web app-related thingys that are tied into Java. I haven't heard of most of them, probably because I stay strictly away from Java.
Re:Where to start... (Score:4, Insightful)
I wonder how they're counting. They quote says across "multiple versions". Are they giving multiple counts for a single vulnerability that exists in multiple versions?
Re:Biggest security risk of Open Source Software (Score:3, Insightful)
I got that impression too. Have you ever tried calling Microsoft support? By the time you actually get a qualified person to answer your question, you could have received 2 - 3 responses on a OSS project's forum or mailing list.
Another interesting thing that I saw the study fail to mention, there are many OSS projects that clearly state on their web site "This is not yet production quality, use at your own risk" .. yet anyone selling something new would not dare to issue such a warning.
I really feel like the study is rampant FUD that hopes to be viral so that the authors can place themselves in some sort of authoritative role.
I'm actually a little shocked that Network World even ran the story.