Study Says Open Source Software a Security Risk 86
chareverie writes "Fortify Software released a study where they concluded that open source software poses a large security risk to corporations who have implemented it. They reason this by stating that the fault lies within the open source communities and their failure to adhere to minimum security practices. Fortify Software studied 11 open source software packages, where the application server Tomcat was determined to be the best. The other 10 were found to have poor results, with those being Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts. Jacob West, manager of Fortify's research group, reminds that purpose of the study was 'not to condemn open source software, but rather to point out that the security practices need to improve because open source adoption by enterprises and governments is growing.'"
ZOMG!!! (Score:5, Interesting)
Why, this is just too much, how will we ever recover? And they even based it on 11 whole OSS projects... Game over!
I've only heard of two of those... (Score:3, Interesting)
Tomcat and OpenCMS, to be specific. And I don't use any of them.
This might be interesting news to me if they found problems with: Apache 2, PHP 5, Wordpress, Gallery 2, or Python 2.5, which is basically what my site runs on.
And yes, I know there's security problems with PHP and Wordpress. I'm just pointing out that they aren't targeting more popular software; wonder why?
Judge for yourself (Score:5, Interesting)
I'm not an expert on open source and security but I get the feeling that the authors judged open source software based on closed source standards. They author complain that disclosing security issues with general bugs was a problem. Did the author not understand that full disclosure is one of the tenets of open source? The last gripe is that the service wasn't the same with lack of contacts and responses. Judging by the summary it appears that the author just monitored the community forums. Did the authors even pay for support? When you pay for software and support, you should get it. When you don't pay for software or support, why should you deserve service?
Proprietary Software Poses a Risk to corporations (Score:3, Interesting)
Closed source/propetiary software doesn't adhere 100% to industry "best" practices, such as providing a prominent link to security information on their Web site either.
It's just not as easy to see where closed source is lacking, because, well: you don't have the source to conduct research into the security flaws.
If the source was not public, you in many cases, would have never known that X practice wasn't being followed by certain elements of the software.
Closed software can ignore practices whenever convenience, and since the source is closed, they are all but immune to this type of analysis.
A true comparison requires actually obtaining the source to proprietary software and using that to its full advantage to find security flaws.
Re:ZOMG!!! (Score:5, Interesting)
Biggest security risk of Open Source Software (Score:4, Interesting)
Re:Judge for yourself (Score:5, Interesting)
Many of the projects they evaluated are Apache projects. The Apache Foundation has a private list for security bugs (security AT apache.org) so their complaints on that basis are unjustified for those projects at least. And I would be very surprised if they found security bugs in all of those projects in order to test the responsiveness of the developers, so I guess they sent some random mail that was probably justifiably discarded as spam.
Re:Where to start... (Score:5, Interesting)
You're just on the edge, I suspect, of the reason they didn't get good responses from the maintainers of the code for the "vulnerabilities" they reported. That's because, in most cases, they probably weren't vulnerabilities. The authors of the report are the producers of a static analysis tool that -- you guessed it -- detects potential XSS and SQL injection vulnerabilities. Of course, it (like all such tools) has a very high false positive rate.
In the case of code that automatically generates SQL code algorithmically (not using hard-coded prepared statements, for example) like Hibernate, or generates HTML code algorithmically (like, say, pretty much any JSP implementation or templating language), the number of false positives is going to be huge.
Any bets they didn't bother stripping out those false positives before reporting the "vulnerabilities"?