pay them

Well, I have fix about 15 Window machines this weekend and 0 machines with open source.

That is why I love windows, it gives me work to do.

Now it all depends how Fortify defines "best security practices"

Each and every open source software carries a file often the name of the file is "LEAGAL" states ...

"All source code, binaries, documentation, information, and other files contained in this distribution are provided AS IS with NO WARRANTY OF ANY KIND, INCLUDING THE WARRANTY OF DESIGN, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE."

Now isn't it a "best/better/excellent" security practice to WARN a user?

Well, certainly Fortify (whatever) has all interest in disseminating FUD, so they can make some money.
Now, there is also the possibility that the "study" has been paid for by - who else? - Microsoft. Remember those fake benchmarks pitching Windows x Linux, that Microsoft sponsored? Yeah...
And, of course, Windows & company do have a record for security, right? A *negative* record, but still a record...

Nothing is free. The idea of free software being worth something was cultivated by geeks. Geek knowledge is like currency. They trade on it to garner more power and money. As for the real value of open source, it's about equal to doing nothing.

Honestly I don't think this is FUD, or Fortify selling anything (they sell the tools that eval security in code). I think this is reality - but a reality some companies choose willingly.

There is a tradeoff when you purchase tools versus download and use open-source. Open source is typically free but comes with a price tag of a different sort - support. There isn't as much of a development effort, adherence to standards, or technical support in free software... but then there also isn't the massive price tag.

As a business, you choose.

I sense a hidden agenda here. First of all, you can't evaluate such a narrow range of software (clearly the study focused on a small number of prominent open-source application servers and content management systems) and then turn around and say 'open source software is a security risk'. That's sensationalism at its worst. Even assuming the results of the study are unbiased and accurate, the most that should be claimed is that current open-source offerings in application server/content management have shortcomings in security and customer support. I have my doubts about even those conclusions.

Second, the implication is that closed-source products fair better, but there is no control group here. Perhaps there is a general security concern in the application server category? We'll never know, of course, because the study and article are too busy furthering their agenda that open-source represents an enterprise risk.

After the NSA-key hidden in Windows, and some reports of Vista "calling home" every now and then, I don't think closed-source is any more secure than open-source.
With open-source you can at least see what is happening. And, if the "community" doesn't react as quickly as you'd want, you can many times patch it yourself. Not so with closed-source.

That's a pathetic situation. Whoever is behind that report - and similar ones - has money, not security, in their mind.

"Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 open source software packages examined."

Wow! That's a lot!
I smell something fishy here.

Anyway, somebody said that "statistics are the art of lying with numbers".

It is just that some lies are better told than others.