The most widely used
open source software for the enterprise is exposing businesses
to significant risk, according to a study by security firm
Fortify Software.
The Open Source Security Study examined 11
Java open source packages and associated security practices,
and included vulnerability scanning of the software.
The study found that open source software (OSS) development
communities do not have a secure development process with security
testing and often leave vulnerabilities unaddressed.
Nearly all OSS communities fail to provide users with access to
security expertise to help fix vulnerabilities and security risks,
the study said.
Despite a steady increase in the adoption of OSS, the study
found little has been done by the open source community to
implement enterprise level application security measures.
Rob Rachwald of Fortify Software said enterprises should follow
the example of large banks and apply risk and coding analysis
techniques to their open source software.
He said there was little evidence of secure development
practices, but the open source Mozilla Corporation has begun
putting together a programme to improve security.
"They have hired a security consultant and are starting with
developer education, which is exactly the kind of process the whole
open source community should be following," he said.
Rachwald said open source security could be improved by
businesses informing developers of their security requirements.