Do open source applications take security seriously?

Not according to the folks at Fortify, who today are issuing a blistering report claiming open source projects and companies don't take security seriously at all.

Security best practices are missing in the open source space, Fortify says. (Gary McGraw interviewed Fortify's technical advisory board in January, 2007. Here are some of those heroes.)

"If there's an application hack at Microsoft you would know who to go to. But what about open source? The answer isn't always clear," director of product marketing Rob Rachwald told ZDNet.

It should be noted before going forward that Fortify specializes in this sort of security life cycle work. One can argue they are arguing from the position of a vendor who stands to benefit if its demands for the industry are met.

But this should not invalidate the point, which is that security is a process that must be followed consistently, and many open source projects do this only haphazardly.

Here is the way way CEO John Jack CTO Roger Thornton put it when he got on the call:

There were 215 million data breaches from 2004-2006. Something is going on.

The bad guys have figured out how to exploit software, and one of the key elements is something firewalls can't deal with and anti-virals don't deal with – the applications layer.

Most hacks today are at the application layer, anywhere from 75-92%.

Open source projects that leave vulnerabilities open threaten the integrity of entire installations.

I thought at first this might be a crack at non-professional open source projects, as opposed to the work of professional open source companies.

Fortify's research indicates both sides are equally at fault here.

"Some commercial companies maintain open source packages and I wish they were doing a better job on this than non-commercial projects," admitted Jack. "There's no swing one way or another in terms of security practices."

Secure development, real-time monitoring, and the hiring of full-time security directors are all steps which need to be taken, Rachwald concluded. Open source needs to take security as seriously as Microsoft does.

"One thing I don't think developers understand is the difference between security and quality. Security is gray. Quality is black and white. That's why a security process is essential, because it's not black and white."

This should be the chief open source challenge for the next year, because if application security is not addressed, it's hard to see much more progress coming in the enterprise market.