Open source exposing businesses to significant risk


Open source exposing businesses to significant risk

Warwick Ashford

The most widely used open source software for the enterprise is exposing businesses to significant risk, according to a study by security firm Fortify Software.

The Open Source Security Study examined 11 Java open source packages and associated security practices, and included vulnerability scanning of the software.

The study found that open source software (OSS) development communities do not have a secure development process with security testing and often leave vulnerabilities unaddressed.

Nearly all OSS communities fail to provide users with access to security expertise to help fix vulnerabilities and security risks, the study said.

Despite a steady increase in the adoption of OSS, the study found little has been done by the open source community to implement enterprise level application security measures.

Rob Rachwald of Fortify Software said enterprises should follow the example of large banks and apply risk and coding analysis techniques to their open source software.

He said there was little evidence of secure development practices, but the open source Mozilla Corporation has begun putting together a programme to improve security.

"They have hired a security consultant and are starting with developer education, which is exactly the kind of process the whole open source community should be following," he said.

Rachwald said open source security could be improved by businesses informing developers of their security requirements.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy