Rising Enterprise Adoption of Open Source Software is Putting Businesses At Greater Risk
New data from Fortify Software finds that widely-used open source software packages do not employ best practices for securing code
"Open source software can be another valuable option in today's corporate enterprises, but, just as with commercial software, vulnerabilities in software should be a point of concern for CIOs who depend on open source software to run their business," said Howard A. Schmidt, former cyber security advisor to the White House. "This is an endemic issue that starts in the open source community, and while open source software faces the same vulnerabilities as commercial or in-house developed software, the mechanisms to test and analyze software code need to be done with great rigor in open source communities to influence a secure development process."
The survey, sponsored by Fortify Software and completed by leading application security consultant Larry Suto, examined 11 of the most common Java open source packages. In order to evaluate the security expertise offered to users and to measure the secure development processes in place in OSS communities, Fortify interacted with open source maintainers and examined documented open source security practices. Additionally, multiple versions of each package were downloaded and scanned for vulnerabilities using Fortify SCA (the static analyzer found in Fortify's security suite, Fortify 360). Manual scanning was also executed on security-sensitive areas of code.
Increased enterprise adoption of open source is evidenced by reports from a number of leading analyst firms, including Gartner, which recently reported that by 2011, 80% of commercial software will include elements of open source technology (Gartner, The State of Open Source 2008," April 2008). Additionally, an April 2008 survey from CIO reported that more than half of its respondents are using open source applications in their organizations today. A recent report from Forrester Research noted that for over 88% of respondents, security of open source software was an important concern (Source: Forrester Research: Enterprise and SMB Software Survey, 2007)
Although enterprise adoption of OSS has steadily increased, little has been done within the OSS community to implement enterprise-worthy application security measures. As a result of the survey, Fortify recommends that enterprises should follow the example of financial services companies in applying risk and coding analysis techniques to their open source software. In addition, enterprises should:
Raise security awareness within open source development communities and emphasize the importance of preventing vulnerabilities upstream. Enterprise security teams should articulate their security requirements to open source maintainers to accelerate the adoption of secure development lifecycles.
Perform assessments to understand where their open source deployments and components stand from a security standpoint.
Remediate vulnerabilities internally or leverage Fortify's Java Open Review which provides audited versions of several open source packages.
"Most open source communities do not follow enterprise-level change control standards," says Jennifer Bayuk, independent security consultant and former CISO of Bear Stearns. "There is a hidden cost for the enterprise in using open source because they have to test and patch for security bugs they don't anticipate."
"Today's enterprises are built and operated by software that comes from a variety of sources," commented Roger Thornton, founder and CTO of Fortify Software. "The software could be developed in-house, purchased off-the-shelf, outsourced, or as we're seeing more often, based on open source. In order to mitigate the business risk created by insecure applications, it is imperative that companies adopt a process that allows them to assess, remediate and prevent security vulnerabilities in all of their business software, whatever the source."
To access a copy of the survey results, please visit http://www.fortify.com/l/oss/oss_report.html. For more information on Fortify's open source initiative, Java Open Review, visit http://opensource.fortify.com.
Visit https://www1.gotomeeting.com/register/929272775 to register for the webinar, "A CISO's Guide to Securing Open Source Software."
Fortify Software, Inc
Fortify®'s Business Software Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite-Fortify 360-drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world-class teams of software security experts and partners. More information is available at www.fortify.com.