Enterprises often rely on open source software to save development time and money, but they shouldn't rely on open source for good security, according to a study released today. The review of 11 popular projects revealed numerous vulnerabilities and a general absence of sound security practices.
Based on the findings of Fortify Software Inc. and information risk management and mobility consultant Larry Suto, the study found that open source developers need to pay more serious attention to security, and enterprises should treat open source with healthy skepticism as they integrate it into their businesses.
"Enterprises need to treat open source very much the same way as internally developed or outsourced software," said Jacob West, manager of Fortify's security research group, "meaning they need to put it through own security development process, doing things like risk assessment and code review."
The study discovered thousands of vulnerabilities, including nearly 23,000 cross-site scripting flaws and more than 15,000 SQL injection flaws. Of more concern, perhaps, is that there's little evidence open source projects have made finding and remediating security issues a priority. The number of flaws stayed about the same or even increased through each of three new versions of six of the packages tested. (CRM/groupware Hipergate had by far the most issues, more than 14,000.)
The software packages were scanned by Fortify's Source Code Analyzer (SCA) and the findings were manually reviewed by Suto, with the help of Fortify staff.
Suto and Fortify approached the sites from the perspective of an end user looking for security help. They looked for a prominent link to documentation about security and secure implementation, a dedicated email alias for reporting security issues, and/or easy access to security experts to discuss issues. Of the 11 projects, only Web server Tomcat provided all three, and eight struck out in all three areas.
West said some enterprises already have a healthy security approach to the open source software they deploy, with teams responsible for evaluating their risk. These companies will often develop their own versions, so they can control security and apply their findings and remediation across their installed code base.
Most organizations, he said, are aware of their use of open source because their legal teams review licensing issues. The problem is that the legal department and the security groups don't necessarily communicate.
West acknowledged that resources are an issue for open source projects, but said that they can improve "with some smart choices and adopting the right processes and technology." Fortify sponsors the Java Open Review Project, which conducts weekly security scans of participating projects.
"The open source community needs to think about security as one of the core deliverables they provide with the software they build," West said