Why open source fails application security tests

Summary:Thornton has knocked down the door and gotten our attention. Now he needs to work cooperatively with the community -- including other security vendors -- to get it back on its hinges.

Fortify CTO Roger Thornton
Our friends at Zero Day gave Fortify CTO Roger Thornton the floor today, to answer critics of his recent study on open source application security.

It's a good piece.

One point which really struck home concerned how we test open source code. We test it to see if it works. Security testing works to see if it can be broken.

The distinction is important. Security doesn't test for bugs, but features that can be exploited.

This makes security hard to build into an open source business model. It's one of those costs, like insurance, which go into the category of overhead. And open source is all about getting rid of overhead.

The answer is security must first become a business imperative, an early difference between a "community" edition of a package and a "paid" version for which businesses must pay support fees.

This, in turn, tells me where the pressure for change in open source security need to come from, big customers.

Scary headlines like "open source insecure" create heat, but "we the undersigned demand security testing or we rip it out" are needed to turn on the lights.

My hope is customers go about this responsibly, and Fortify can help, perhaps offering deals with large users, working through user groups, to get the job done. And by cooperating in this with other security vendors in the way open source works other problems.

In other words Thornton has knocked down the door and gotten our attention. Now he needs to work cooperatively with the community -- including other security vendors -- to get it back on its hinges.

Topics: Open Source, Security

About

Dana Blankenhorn has been a business journalist since 1978, and has covered technology since 1982. He launched the Interactive Age Daily, the first daily coverage of the Internet to launch with a magazine, in September 1994.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.