Open source exposing businesses to significant risk

The most widely used open source software for the enterprise is exposing businesses to significant risk, according to a study by security firm Fortify Software.

The Open Source Security Study examined 11 Java open source packages and associated security practices, and included vulnerability scanning of the software.

The study found that open source software (OSS) development communities do not have a secure development process with security testing and often leave vulnerabilities unaddressed.

Nearly all OSS communities fail to provide users with access to security expertise to help fix vulnerabilities and security risks, the study said.

Despite a steady increase in the adoption of OSS, the study found little has been done by the open source community to implement enterprise level application security measures.

Rob Rachwald of Fortify Software said enterprises should follow the example of large banks and apply risk and coding analysis techniques to their open source software.

He said there was little evidence of secure development practices, but the open source Mozilla Corporation has begun putting together a programme to improve security.

"They have hired a security consultant and are starting with developer education, which is exactly the kind of process the whole open source community should be following," he said.

Rachwald said open source security could be improved by businesses informing developers of their security requirements.