Fortify Software, Inc., released its Open Source Security Study which reveals that the most widely-used open source software packages for the enterprise are exposing users to significant and unnecessary business risk. The study validates that Open Source Software (OSS) development communities have yet to adopt a secure development process and often leave dangerous vulnerabilities unaddressed. Additionally, the study found that nearly all OSS communities fail to provide users access to security expertise to help remediate these vulnerabilities and security risks.
“Open source software can be another valuable option in today’s corporate enterprises, but, just as with commercial software, vulnerabilities in software should be a point of concern for CIOs who depend on open source software to run their business,” said Howard A. Schmidt, former cyber security advisor to the White House. “This is an endemic issue that starts in the open source community, and while open source software faces the same vulnerabilities as commercial or in-house developed software, the mechanisms to test and analyze software code need to be done with great rigor in open source communities to influence a secure development process.”
The survey, sponsored by Fortify Software and completed by leading application security consultant Larry Suto, examined 11 of the most common Java open source packages. In order to evaluate the security expertise offered to users and to measure the secure development processes in place in OSS communities, Fortify interacted with open source maintainers and examined documented open source security practices. Additionally, multiple versions of each package were downloaded and scanned for vulnerabilities using Fortify SCA (the static analyzer found in Fortify’s security suite, Fortify 360). Manual scanning was also executed on security-sensitive areas of code.
Increased enterprise adoption of open source is evidenced by reports from a number of leading analyst firms, including Gartner, which recently reported that by 2011, 80% of commercial software will include elements of open source technology (Gartner, The State of Open Source 2008,” April 2008). Additionally, an April 2008 survey from CIO reported that more than half of its respondents are using open source applications in their organizations today(1). A recent report from Forrester Research noted that for over 88% of respondents, security of open source software was an important concern (Source: Forrester Research: Enterprise and SMB Software Survey, 2007)
Although enterprise adoption of OSS has steadily increased, little has been done within the OSS community to implement enterprise-worthy application security measures. As a result of the survey, Fortify recommends that enterprises should follow the example of financial services companies in applying risk and coding analysis techniques to their open source software. In addition, enterprises should:
— Raise security awareness within open source development communities and emphasize the importance of preventing vulnerabilities upstream. Enterprise security teams should articulate their security requirements to open source maintainers to accelerate the adoption of secure development lifecycles.
— Perform assessments to understand where their open source deployments and components stand from a security standpoint.
— Remediate vulnerabilities internally or leverage Fortify’s Java Open Review which provides audited versions of several open source packages.
“Most open source communities do not follow enterprise-level change control standards,” says Jennifer Bayuk, independent security consultant and former CISO of Bear Stearns. “There is a hidden cost for the enterprise in using open source because they have to test and patch for security bugs they don’t anticipate.”
“Today’s enterprises are built and operated by software that comes from a variety of sources,” commented Roger Thornton, founder and CTO of Fortify Software. “The software could be developed in-house, purchased off-the-shelf, outsourced, or as we’re seeing more often, based on open source. In order to mitigate the business risk created by insecure applications, it is imperative that companies adopt a process that allows them to assess, remediate and prevent security vulnerabilities in all of their business software, whatever the source.”
To access a copy of the survey results, please visit http://www.fortify.com/l/oss/oss_report.html. For more information on Fortify’s open source initiative, Java Open Review, visit http://opensource.fortify.com/.
Visit https://www1.gotomeeting.com/register/929272775 to register for the webinar, “A CISO’s Guide to Securing Open Source Software.”