Enterprises warned on open source security
By Iain Thomson on Jul 22, 2008 1:50PM
A study into eleven popular open source applications has suggested that enterprises are underestimating the security risks of using the code..
Security vendor Fortify studies the applications, including JBoss and OpenCMS, and found a number of security problems, which it partially blames on bad security practices and processes by open source programmers.
“Security best practices are a low priority to the open source projects surveyed,” said the company’s Open Source Security Study.
“Yet open source packages often claim enterprise-class capabilities but are not adopting - or even considering - industry best security practices. Only a few open source development teams are moving in the right direction.”
Mozilla was highlighted as one of the open source projects that took security most seriously, but the report found that many other projects were no taking security of design and implementation seriously.
The report highlighted three features Fortify considered vital for enterprise software security: proper documentation, access to security coders within the development group and a clear point of contact for security questions.
Only two of the packages reviewed offered a link to security documentation, three gave access to security coders and only one, Tomcat, had a dedicated security email.
"Most open source communities do not follow enterprise-level change control standards," says Jennifer Bayuk, independent security consultant and former chief information security officer of Bear Stearns.
"There is a hidden cost for the enterprise in using open source because they have to test and patch for security bugs they don't anticipate."
The study also looked at the lifecycle of patching and found serious concerns with some applications, with patches taking up to a year to get issued. Hipergate’s CRM applications faired particularly poorly.