How to deal with the open source security challenge

Open source software is everywhere but the way it is produced poses specific challenges to security concious enterprises, argues Fortify Software.


Organisations everywhere are opening their doors to open source software. The government yesterday announced it was to create a “level playing field” for open source software in the public sector.

A recent survey by IDG of IT professionals revealed that nearly two-thirds were using open source software or planned to within the next year.

The benefits to the enterprise are many: Lower costs, relief on overextended development resources, access to cutting-edge technology, freedom from vendor development schedules, open standards and rapid deployment.

OpenLogic reports that in 2006, enterprises on average used 75 different open-source packages and that the number grew to 94 in 2007. But companies can also get more than they bargained for when they choose open source software.

Security vulnerabilities in open source could mean that companies are opening their doors to viruses, software exploits and other problems that could adversely affect their businesses, users and customers.

Security expert John Viega wrote in The Myth of Open Source Security, “the very things that can make open source programs secure -- the availability of the source code, and the fact that large numbers of users are available to look for and fix security holes -- can also lull people into a false sense of security.”

In fact, the Open Source Vulnerability Database in 2006 showed more than 8,500 vulnerabilities—an equal number of vulnerabilities when compared to CERT proprietary vulnerability database for the same year.

Is open source software too great a security risk?

Given the advantages to open source software, many companies accept the risks, even if they’re not fully aware of how extensive those risks could be. The truth is that most open source software producers don’t make security a priority in their software development process. They often neglect the three essential elements of security: people, process and technology.

1 - Many open source communities do not utilize security experts

Security is frequently left up to the developer or peer reviews. All too often the attitude is to fix problems that turn up after the release.

2 - Have inadequate security processes

There are exceptions, such as Mozilla, but many developers don’t consider security a goal separate from their standards for overall software quality. The concept of “building security in” has not taken a wide hold among open source developers.

3 - Fail to leverage technology to uncover security vulnerabilities

Open source developers are less likely than in-house or commercial developers to have access to the latest security tools for software development.

"Recommended For You"

Out of Africa: More Microsoft FUD Tories 'misguided' in criticising government's stance on open source software