Enterprises warned on open source security

By

A study into eleven popular open source applications has suggested that enterprises are underestimating the security risks of using the code..



Security vendor Fortify studies the applications, including JBoss and OpenCMS, and found a number of security problems, which it partially blames on bad security practices and processes by open source programmers.

“Security best practices are a low priority to the open source projects surveyed,” said the company’s Open Source Security Study.

“Yet open source packages often claim enterprise-class capabilities but are not adopting - or even considering - industry best security practices. Only a few open source development teams are moving in the right direction.”

Mozilla was highlighted as one of the open source projects that took security most seriously, but the report found that many other projects were no taking security of design and implementation seriously.

The report highlighted three features Fortify considered vital for enterprise software security: proper documentation, access to security coders within the development group and a clear point of contact for security questions.

Only two of the packages reviewed offered a link to security documentation, three gave access to security coders and only one, Tomcat, had a dedicated security email.

"Most open source communities do not follow enterprise-level change control standards," says Jennifer Bayuk, independent security consultant and former chief information security officer of Bear Stearns.

"There is a hidden cost for the enterprise in using open source because they have to test and patch for security bugs they don't anticipate."

The study also looked at the lifecycle of patching and found serious concerns with some applications, with patches taking up to a year to get issued. Hipergate’s CRM applications faired particularly poorly.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk
Tags:
enterprisesonopensecuritysoftwaresourcewarned

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

Orica to set new workforce systems live in Australia in July

Orica to set new workforce systems live in Australia in July
Lion builds an app to detect its beers on tap in venues

Lion builds an app to detect its beers on tap in venues
ANZ Institutional readies go-live for "multi-agent chatbot" amie

ANZ Institutional readies go-live for "multi-agent chatbot" amie
Victoria Police refreshes online reporting

Victoria Police refreshes online reporting
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?