Rising Enterprise Adoption of Open Source Software is Putting Businesses At Greater Risk

 
Widely-used open source software packages do not employ best practices for securing code

Fortify Software Inc., the market leader in enterprise application security solutions for business software assurance, released today its Open Source Security Study which reveals that the most widely-used open source software packages for the enterprise are exposing users to significant and unnecessary business risk. The study validates that Open Source Software (OSS) development communities have yet to adopt a secure development process and often leave dangerous vulnerabilities unaddressed. Additionally, the study found that nearly all OSS communities fail to provide users access to security expertise to help remediate these vulnerabilities and security risks.

The survey, sponsored by Fortify Software and completed by leading application security consultant Larry Suto, examined 11 of the most common Java open source packages. In order to evaluate the security expertise offered to users and to measure the secure development processes in place in OSS communities, Fortify interacted with open source maintainers and examined documented open source security practices. Additionally, multiple versions of each package were downloaded and scanned for vulnerabilities using Fortify SCA (the static analyzer found in Fortify’s security suite, Fortify 360). Manual scanning was also executed on security-sensitive areas of code.

Increased enterprise adoption of open source is evidenced by reports from a number of leading analyst firms, including Gartner, which recently reported that by 2011, 80% of commercial software will include elements of open source technology (Gartner, The State of Open Source 2008,” April 2008). Additionally, an April 2008 survey from CIO reported that more than half of its respondents are using open source applications in their organizations today. A recent report from Forrester Research noted that for over 88% of respondents, security of open source software was an important concern (Source: Forrester Research: Enterprise and SMB Software Survey, 2007)

Although enterprise adoption of OSS has steadily increased, little has been done within the OSS community to implement enterprise-worthy application security measures. As a result of the survey, Fortify recommends that enterprises should follow the example of financial services companies in applying risk and coding analysis techniques to their open source software. In addition, enterprises should:

1) Raise security awareness within open source development communities and emphasize the importance of preventing vulnerabilities upstream. Enterprise security teams should articulate their security requirements to open source maintainers to accelerate the adoption of secure development lifecycles.
2) Perform assessments to understand where their open source deployments and components stand from a security standpoint.
3) Remediate vulnerabilities internally or leverage Fortify’s Java Open Review which provides audited versions of several open source packages.

Quelle: Fortify Software, Inc.