Tuesday, August 5, 2008

Open Source Code = Insecure Code?

Research released by application security vendor Fortify (www.fortify.com) in July 2008 has highlighted security flaws in commonly used open source applications, some of which are being installed and deployed by large enterprises and government organisations.

The paper, "Open Source Security Study - How are Open Source Development Communities Embracing Best Security Practices?" reports on research undertaken by Fortify into the security of open source projects.

A range of projects were examined ranging from the Derby relational database through to the JBoss application server and the OpenCMS content management server. The projects were analysed using Fortify SCA, a static analysis tool used to detect security flaws in software code. Any major security issues identified by the tool were then checked manually to confirm the finding.

Flaws were uncovered that spanned two or three generations of product, showing a lack of attention for up to 1 year. Across the range of projects analysed, issues per 1000 lines of code (KLOC) ranged from 0.27 through to 178.2. Cross site scripting and SQL injection class attacks were prevalent and clearly still show that developers are missing these code security problems.

Read More Article...

No comments: