Sunday, July 20, 2008

Is Open Source Development Insecure?

A leading application security firm issues research report alleging that open source software developers are missing the security boat.

One of the basic theories behind open source and its relative security is the fact that many eyeballs are looking at code to identify potential and real trouble spots. According to application security vendor Fortify Software, many eyeballs alone aren't enough. In fact Fortify argues in a new study that open source software is insecure and is exposing enterprises to risk since secure development processes have not been properly adopted.

Fortify's study looked at 11 open source java projects and ran them through a barrage of tests to identify secure practices. In general Fortify argued that the projects had a variety of security vulnerabilities including Cross Site Scripting and SQL injection flaws and that there was an overall lack of secure development processes in place.

"We think that open source software is an area of under-explored risk that we want to help enterprises better understand it," Jacob West security research group manager at Fortify told InternetNews.com. "We found notable vulnerabilities in all of the eleven open source packages we looked at. Because of the rampant numbers we found we think that open source projects aren't leveraging security tools properly."

Read More Article...

1 comment: