Report Alleges Open-Source Security Breakdowns

A report sponsored by software security vendor Fortify Software accuses the open-source community of dropping the ball on security during the development process. But is open source really less secure? Not necessarily.

Fortify Software released a report July 21 that will likely wake open-source advocates and application developers from their morning calm.

Dubbed the "Open Source Security Study," the Fortify-sponsored report, which was prepared by security consultant Larry Suto, examined 11 of the most common Java open-source packages for vulnerabilities using Fortify's technology. Two to four versions of each were tested, including versions of JBoss Application Server, Apache Derby and OpenCMS.

The study uncovered 22,828 cross-site scripting vulnerabilities and 15,612 SQL injection issues. In addition, the number of security issues often either increased or stayed about the same from one generation of a release to another. For example, 10,734 issues were found in Hipergate, while 14,425 were found in Hipergate, despite the fact that the latter version had roughly 28,000 fewer lines of code.

"We sought out three security resources that users of open source might rely on: documentation that covers the security implications and secure deployment of the software they develop, a dedicated e-mail alias for users to report security vulnerabilities or easy access to internal security experts to discuss security issues," the report reads. "We found few open-source projects provide any of these resources."

What the report doesn't include is much direct evidence about the security practices involved in the development processes in question.

"It's one thing to say that popular applications being used by enterprises are vulnerable to exploits," said Nick Selby, an analyst with The 451 Group. "It's another then to turn around and extrapolate from that and say that open-source software is more dangerous or less dangerous than proprietary software, because the data doesn't show that. The data shows that the applications that were examined had vulnerabilities. All applications have vulnerabilities."

That should not be construed to say the report does not contain some sound suggestions, such as appointing a security expert with the power to veto releases from getting into production and mandating processes that integrate security throughout the development lifecycle, such as threat modeling. It also recommends developers leverage the JOR (Java Open Review) project, which Fortify has headed up since 2006. Four of the 11 projects included in the report - Tomcat, Hibernate, OFBiz and Struts - are actually part of JOR.

"When enterprises look at open-source applications they typically are relying on a number of different things," Selby said. "They are relying on the community itself to fish at problems and they're making the assumption that happens on a regular and disciplined basis. I'm not sure that it makes sense to do that any more than it makes sense to do that with proprietary software. ... Security has to be baked into the application development lifecycle."

In a statement, Fortify CTO Roger Thornton advised businesses to take open-source security seriously.

"Today's enterprises are built and operated by software that comes from a variety of sources," he said. "The software could be developed in-house, purchased off-the-shelf, outsourced or as we're seeing more often, based on open source. In order to mitigate the business risk created by insecure applications, it is imperative that companies adopt a process that allows them to assess, remediate and prevent security vulnerabilities in all of their business software, whatever the source."