OpenOffice.org recently issued version 3.2, which fixed six vulnerabilities present in previous versions. The vulnerabilities could be exploited for arbitrary code execution or to bypass authentication protection. Remote code-execution vulnerabilities are particularly popular with hackers because users can be targeted by email to get them to open a malicious document, which can then exploit the vulnerability. With over 100 million downloads...
of OpenOffice.org 3.x, the user base is large enough to attract serious interest from malicious hackers.
According to a study of 11 popular open source applications in 2008 by Fortify Software Inc., enterprises are underestimating the security and business risks of using open source software. One study found that flaws in commercial applications tend to get patched faster than open source ones because the vendors have a lot more at stake. That's open to debate, but certainly some open source projects do lack commercial-grade software change-control processes and testing tools, and if there's a lack of security processes during development, vulnerabilities can become an problem. Mozilla was highlighted as the open source project that took security most seriously, but the report found that many other projects were not building in efficient security in the design and development phases. Many commercial companies have upped their game by adopting a Security Development Lifecycle methodology, and for many the number of vulnerabilities reaching production code has been significantly reduced.
Before implementing any open source software, a risk analysis and code review must be carried out. Good documentation is essential for truly understanding how the application works and for dealing with incidents. The absence of software licensing fees needs to be offset against the costs of training, support and maintenance. Users must receive proper training, as the new software may perform similar functions differently. For example, OpenOffice tends not to have as many pop-up user warnings when opening a macro as Microsoft Office does. If the application introduces any new functionality, such as file sharing, you will need to update your acceptable usage policy to cover how and when these features can be used.
With open source there's no one to call when things go wrong, so check that there is an active and responsive support forum or group from which to draw advice. Another task is to subscribe to the relevant newsgroups that cover developments in your open source software. The OpenOffice.org project includes a security team that publishes its OpenOffice security alerts via a dedicated mailing list. To subscribe to the list, send a blank email to firstname.lastname@example.org. The OpenOffice.org security team also publishes details of security vulnerabilities in its Security Bulletin.
Dig Deeper on Securing Productivity Applications
Related Q&A from Michael Cobb
A new programming language called Wyvern is helping developers use multiple languages in one app securely. Application security expert Michael Cobb ...continue reading
Gartner predicts more than half of all mobile apps will use HTML5 by 2016, but what threats will this cause the enterprise? Expert Michael Cobb ...continue reading
Public key pinning aims to reduce the lack of trust associated with digital certificates and certificate authorities. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.