- BlackBerry Storm vs. the iPhone
- Digg's Kevin Rose: "We have to do better"
- Blogger warns: "Nortel doesn't make it out alive"
- Financial quagmire bringing out the scammers
- Verizon plays with the wrong e-mail addresses
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
Open source software is a significant security risk for corporations that use it because in many cases, the open source community fails to adhere to minimal security best practices, according a study released Monday.
The study, carried out by Fortify Software with help from consultant Larry Suto, evaluated 11 open source software packages and each community's response to security issues over the course of about three months. The goal was to find out if the community for each open source software package was responsive to security questions or vulnerability findings, published security guidelines and maintained a secure development process, for example.
Open source application server Tomcat scored the best in the study, titled "Open Source Study -- How Are Open Source Development Communities Embracing Security Best Practices?"
The remaining 10 open source application, tool and database packages -- Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts -- had a dismal showing. Among these 10 packages, application server JBoss scored higher by providing a prominent link to security information on its Web site and easy access to security experts, but came up short for not having a specific e-mail alias for submission of security vulnerabilities.
"You don't want to report bugs to a general mailing list because it would go to the general public," says Jacob West, manager of Fortify's security research group. There needs to be a measure of confidentiality in reporting bugs so that the fix for them can be provided when the public is notified, so attackers don't get early information they can exploit.
But too often the open source communities that offer their software for free don't appear to be as mindful about security practices as their commercial counterparts, which charge for software and support, West says.
Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 open source software packages examined.
But when Fortify tried to reach out to the open-source software communities, with the primary point of contact a Web site and a general e-mail address, the security firm found that "in two-thirds of these cases, you didn't get a response at all," West says. "There are no phone numbers. Who do you go to ask for information? It's kind of hard to tell who these people are."
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (47)
Survey, study, who cares? It's based on false assumptions.By Resuna on August 7, 2008, 7:53 amIt doesn't matter whether you call it a "study" or a "survey", if it's depending on being able to speak to people on the phone it's worthless, because that is...
Reply | Read entire comment
I agree about surveys, but this is a study...By yarbie2 on August 6, 2008, 9:22 pmI am the first one to point out that surveys are trash; the numbers can be skewed to whatever the intended agenda is. With that said, this was a study, not a survey....
Reply | Read entire comment
I don't "keep suggesting" any such thing.By Resuna on July 29, 2008, 10:33 am"You keep suggesting you're more comfortable hearing that your software might have a flat tire from someone you know rather than someone you don't." Christ no!...
Reply | Read entire comment
The study is FUDBy Anonymous on July 29, 2008, 5:39 amOne of the writers at osourcemobile has written a detailed respose to this study. The response provides more infromation than any of the blog articles about the...
Reply | Read entire comment
open-source software securityBy Ellen Messmer on July 28, 2008, 1:32 pmYou keep suggesting you're more comfortable hearing that your software might have a flat tire from someone you know rather than someone you don't. At the same time,...
Reply | Read entire comment
View all comments