By Jack M. Germain LinuxInsider Part of the ECT News Network
07/21/08 8:28 AM PT
Enterprises using certain kinds of open source software may be exposing themselves to serious security risks, according to a study from Fortify Software. The study, which focused primarily on non-commercially supported OSS, found many packages have no ground rules for reporting bugs and do not adequately inform users about how to use the applications safely.
How Much is 'Free' Costing You? Learn how DaveRamsey.com saw a 567% uplift in ROI with Omniture. This complimentary guide and webinar cover the most important factors in selecting an analytics solution. Download Now.
The most widely used open source software packages for the enterprise are exposing users to significant and unnecessary business risks, according to an open source security study from security firm Fortify Software.
The study, released Monday, concludes that open source software (OSS) development communities have yet to adopt a secure development process and often leave dangerous vulnerabilities unaddressed. Additionally, the study found that nearly all OSS communities fail to provide users access to security expertise to help fix these vulnerabilities and security risks.
The survey, sponsored by Fortify and completed by application security consultant Larry Suto, examined 11 of the most common Java open source packages.
"The findings startled us. We found numerous vulnerabilities in the open source packages tested. Communities lack a process for testing security. When enterprise users adopt these software packages, they get substantial risk," Jacob West, manager of security for the research group at Fortify,
told LinuxInsider.
Testing Parameters
Fortify decided to conduct the security test for several reasons. The use of open source software in enterprise is expanding rapidly. The company sees strong adoption of numerous core packages, and its customers were pushing to know about inherent risks associated with their choices, said West.
In order to evaluate the security expertise offered to users and to measure the secure development processes in place in OSS communities, Fortify interacted with open source maintainers and examined documented open source security practices. The company downloaded multiple versions of each package and scanned them for vulnerabilities using Fortify SCA (the company's static analyzer). In addition, testers performed manual scannings on security-sensitive areas of code.
The security testing focused primarily on non-commercially supported open source packages, West said.
Biggest Faults
Two major concerns topped Fortify's list of findings. These are consistent with community-developed software and are not typically found with commercial open source products.
One is the absence of any procedures for reporting bugs or security flaws. The other is the lack of any secure guidelines on how to use the software safely.
"Open source software is an Achilles' heel in today's corporate enterprises and should be a significant concern for CIOs who depend on open source software to run their business," said Howard Schmidt, former cyber-security adviser to the White House. "This is an endemic issue that starts in the open source community, and while open source software faces the same vulnerabilities as commercial or in-house developed software, there just aren't the mechanisms in place to influence a secure development process."
No Offense
Fortify officials hope the open source community will respond positively to the findings.
"We're not trying to indict communities for something they do not have the money to fix," said West. "We have no real concerns about a negative reaction to the study findings."
At the same time, enterprise users of open source software need to understand the risks involved, according to the company. They have to pay the price to make sure what they use is secure, West added.
Adoption Concerns
The security weakness Fortify spotlights should serve as a wake-up call for the open source industry, as the growth of open source in industry is continuing at a steady
pace, West noted.
"Its growth is unstoppable," he said. "Trying to stop it would be like standing in front of a tidal wave."
Recent industry reports support that growth trend. Research firm Gartner (NYSE: IT) reported that by 2011, 80 percent of commercial software will include elements of open source technology. A report from Forrester Research noted that for over 88 percent of respondents, security of open
source software was an important concern.
Proactive Steps
As a result of the survey, Fortify recommends that enterprises should follow the example of financial services companies in applying risk and coding analysis techniques to their open source software, West said. In addition, enterprises should raise security awareness within open source development communities and emphasize the importance of preventing vulnerabilities upstream.
Enterprise security teams should also perform assessments to understand where their open source deployments and components stand from a security standpoint, according to the firm. To that end, Fortify's Java Open Review provides audited versions of several open source packages.
"Most open source communities do not follow enterprise-level change control standards," says Jennifer Bayuk, independent security consultant and former CISO of Bear Stearns. "There is a hidden cost for the enterprise in using open source because they have to test and patch for security bugs
they don't anticipate."
Security Sleuths Sound Alarm on Asprox Flare-Up July 17, 2008
Finjan has noticed a significant uptick in attacks using an SQL injection tool known as "Asprox." It poisons the site's database, spreading malicious code to anyone who happens to visit the Web site. Organizations with infected sites include Snapple, the City of San Francisco and the University of California, according to Finjan.
Related Stories
The Importance of Purity on the Linux Desktop July 21, 2008
Does it really matter if an open source desktop includes closed source code? To some in the Linux community, yes, but to others, it's not something to stress about. "Hey, stop talking like this is a great and epic struggle," wrote loganrapp on Slashdot. "Zimbabwe is a great struggle. We're just talking about computer operating systems."
The Part-Time CSO July 18, 2008
Not all businesses -- and certainly not many SMBs -- can afford a dedicated, around-the-clock chief security officer. Often, out of either necessity or choice, the job is divided among several staff members with other jobs to do. This can still result in an effective security plan, but strategic time management is essential, writes columnist Ed Moyle.
Related News Alerts
More by Jack M. Germain
Microsoft FOSSifies .Net Micro Framework November 18, 2009
Microsoft has declared its .Net Micro framework open source under the Apace 2.0 license. Not all bits of .Net Micro are covered, however. Its TCP/IP stack has been stripped, as has its cryptography libraries. Rights to the TCP/IP stack aren't Redmond's to give, and the cryptography libraries are used outside of the scope of the .Net Micro framework, according to the company.
New Ubuntu OS Features Create Good Karma November 13, 2009
Amidst the OS upgrades from Apple and Microsoft over the last few months, the Linux OS Ubuntu got a version bump of its own. Ubuntu 9.10, or Karmic Koala, is well worth the effort to upgrade, and its developers have made the process easier -- if you're using the full-sized desktop/notebook version. The Remix version, intended for netbooks, caused quite a few headaches.
Samsung Chimes In With Bada Mobile OS November 11, 2009
With Android, iPhone, BlackBerry, WinMo, Symbian, WebOS and plenty other mobile platforms fighting for space, is there room for one more? Samsung believes there is, and it's announced a new open mobile platform called "Bada." The company, which already makes handsets for several existing platforms, says Bada will make app-making easy for developers. The first Bada handset should be out in the first half of 2010.
Headline Feeds
Talkback: 
