A report sponsored by software security vendor Fortify Software accuses the open-source community of dropping the ball on security during the development process. But is open source really less secure? Not necessarily.Fortify Software released a report July 21 that will likely wake open-source advocates and application developers from their morning calm.
Dubbed the “Open Source Security Study,” the Fortify-sponsored
report, which was prepared by security consultant Larry Suto, examined
11 of the most common Java open-source packages for vulnerabilities
using Fortify’s technology. Two to four versions of each were tested,
including versions of JBoss Application Server, Apache Derby and
OpenCMS.
The study uncovered 22,828 cross-site scripting vulnerabilities and
15,612 SQL injection issues. In addition, the number of security issues
often either increased or stayed about the same from one generation of
a release to another. For example, 10,734 issues were found in
Hipergate 2.1.2.0, while 14,425 were found in Hipergate 3.0.2.6,
despite the fact that the latter version had roughly 28,000 fewer lines
of code.
“We sought out three security resources that users of open source
might rely on: documentation that covers the security implications and
secure deployment of the software they develop, a dedicated e-mail
alias for users to report security vulnerabilities or easy access to
internal security experts to discuss security issues,” the report
reads. “We found few open-source projects provide any of these
resources.”
What the report doesn’t include is much direct evidence about the security practices involved in the development processes in question.
“It’s one thing to say that popular applications being used by
enterprises are vulnerable to exploits,” said Nick Selby, an analyst
with The 451 Group. “It’s another then to turn around and extrapolate
from that and say that open-source software is more dangerous or less
dangerous than proprietary software, because the data doesn’t show
that. The data shows that the applications that were examined had
vulnerabilities. All applications have vulnerabilities.”
That should not be construed to say the report does not contain some
sound suggestions, such as appointing a security expert with the power
to veto releases from getting into production and mandating processes
that integrate security throughout the development lifecycle, such as
threat modeling. It also recommends developers leverage the JOR (Java Open Review)
project, which Fortify has headed up since 2006. Four of the 11
projects included in the report – Tomcat, Hibernate, OFBiz and Struts -
are actually part of JOR.
“When enterprises look at open-source applications they typically
are relying on a number of different things,” Selby said. “They are
relying on the community itself to fish at problems and they’re making
the assumption that happens on a regular and disciplined basis. I’m not
sure that it makes sense to do that any more than it makes sense to do
that with proprietary software. ... Security has to be baked into the
application development lifecycle.”
In a statement, Fortify CTO Roger Thornton advised businesses to take open-source security seriously.
“Today’s enterprises are built and operated by software that comes
from a variety of sources,” he said. “The software could be developed
in-house, purchased off-the-shelf, outsourced or as we’re seeing more
often, based on open source. In order to mitigate the business
risk created by insecure applications, it is imperative that companies
adopt a process that allows them to assess, remediate and prevent
security vulnerabilities in all of their business software, whatever
the source."
