Do open source applications take security seriously?

Do open source applications take security seriously?

Summary: This should be the chief open source challenge for the next year, because if application security is not addressed, it's hard to see much more progress coming in the enterprise market.

SHARE:
43

Fortify technical advisory board, 01-2007, by Gary McGraw of Cigital.comNot according to the folks at Fortify, who today are issuing a blistering report claiming open source projects and companies don't take security seriously at all.

Security best practices are missing in the open source space, Fortify says. (Gary McGraw interviewed Fortify's technical advisory board in January, 2007. Here are some of those heroes.)

"If there's an application hack at Microsoft you would know who to go to. But what about open source? The answer isn't always clear," director of product marketing Rob Rachwald told ZDNet.

It should be noted before going forward that Fortify specializes in this sort of security life cycle work. One can argue they are arguing from the position of a vendor who stands to benefit if its demands for the industry are met.

But this should not invalidate the point, which is that security is a process that must be followed consistently, and many open source projects do this only haphazardly.

Here is the way way CEO John Jack CTO Roger Thornton put it when he got on the call:

There were 215 million data breaches from 2004-2006. Something is going on.

The bad guys have figured out how to exploit software, and one of the key elements is something firewalls can't deal with and anti-virals don't deal with – the applications layer.

Most hacks today are at the application layer, anywhere from 75-92%.

Open source projects that leave vulnerabilities open threaten the integrity of entire installations.

computer securityI thought at first this might be a crack at non-professional open source projects, as opposed to the work of professional open source companies.

Fortify's research indicates both sides are equally at fault here.

"Some commercial companies maintain open source packages and I wish they were doing a better job on this than non-commercial projects," admitted Jack. "There's no swing one way or another in terms of security practices."

Secure development, real-time monitoring, and the hiring of full-time security directors are all steps which need to be taken, Rachwald concluded. Open source needs to take security as seriously as Microsoft does.

"One thing I don't think developers understand is the difference between security and quality. Security is gray. Quality is black and white. That's why a security process is essential, because it's not black and white."

This should be the chief open source challenge for the next year, because if application security is not addressed, it's hard to see much more progress coming in the enterprise market.

Topics: Security, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

43 comments
Log in or register to join the discussion
  • Good Point, Good Post

    The lack of objective security information is a major concern to "computer naive" Vice-presidents. Blanket announcements that open-source systems (Linux) have always been secure and commercial systems (Windows) have never been secure are simply not believable to enterprise management. Nothing is that black and white.

    Open source is necessary to the continuing evolution of computer technology and the security of software must be addressed but this will take money, expertise and organization.

    Money and organization may not be that difficult to obtain but insuring the spirit of open source survives may be an impossible goal. Nevertheless these security concerns must be addressed - and not by "computer geeks" but by government and business.

    I may not like having to follow rules but i will if this will lead to better development. I am currently developing a PHP-MySql site and can only find the basic security procedures "10-12-etc things to watch out for tips"
    bcarpent1228
  • RE: Do open source applications take security seriously?

    I won't deny that this has been and continues to be a problem, but it's not unique to open source.

    Just look at Red Hat's Security Response Team for example:
    https://www.redhat.com/security/team/

    Red Hat has a very good process in place for responding to and dealing with security issues across any/all open source components that ship with their product distributions (across RHEL, JBoss, etc.). As part of JBoss, I've seen this process work firsthand.
    ShaunConnolly
  • Don't forget the corollary

    Do closed source companies take security seriously?

    See the AV bug hunt that was posted on ZDNet last week.
    rpmyers1
  • I think you are on to something ...

    ...read <a href="http://talkback.zdnet.com/5208-10535-0.html?forumID=1&threadID=49873&messageID=934383&start=-9980">here</a>.<br>
    Hence, you got a good thing going, don't wear it out.
    n0neXn0ne
  • Inflating title with little sustance

    A good point is lost inside the BS notion that having somebody to contact or blame is equivalent to better security.

    The fact is that most close source take 4 to 5 times longer (if ever) to respond to a vulnerability than open source. If a company is very worried about a "bug" or vulnerability in an open source product, they have the ability to fix it themselves of purchase a solution from their preferred vendor (out of hundreds).

    Regardless of what tool you are using, security is not a joke. Sometimes it takes some pro-active steps and some work by the user to be more secure. But having somebody to blame or a direct contact number to an outsourced tech support (that chances are would have less knowledge than you) is not an indication of better security in close source products.
    wackoae
    • instead of ...

      <font color=grey>...writing about something practical or of substance, such as, why are all these ATM machines that runs Windows are being hacked. And are we safe etc...</font>
      n0neXn0ne
    • That was one example

      Having someone specifically in charge and available is just one example of how things are falling down, according to Fortify. There are many others throughout the development process.

      Sorry if it seemed like I was only mentioning one.
      DanaBlankenhorn
      • Ok, give us another one

        Since it was the only example you gave it is easy to see why someone might think that is the only issue. So why did you pass on another excellent chance to give more examples when answering that comment?

        On the question at hand, most major distributions (Debian, SuSE, Red Hat, ...) do take security very seriously to the point of correcting security problems themselves and giving the fixes back to the software maintainer. Also, just having someone in charge of security does not in any way guaranty that they take it seriously as demonstrated time and time again by Microsoft, Apple, and a host of other proprietary software companies.
        Hemlock Stones
        • Here's a list

          http://news.netcraft.com/archives/2006/01/31/php_apps_a_growing_target_for_hackers.html

          Exerpt:
          "Most of the security issues with PHP-driven programs are found not in PHP itself, but rather in the libraries and applications built atop the server-side scripting language. The most widespread of these, a flaw in XML-RPC libraries identified in July, affected a lengthy list of popular programs including WordPress, Drupal, PostNuke, Serendipity, phpAdsNew and phpWiki. More than four months later, hackers were actively targeting the flaw."

          So much for "open source patching quicker".
          FatherJ
          • OUCH!...

            But from the enterprise perspective. Do I want to take a fix from anyone but the vendor?
            ItsTheBottomLine
          • You just hit the nail on the head....

            "Do I want to take a fix from anyone but the vendor?"

            Open source is supposed to be just that, open source code for everyone to be able to modify, fix, etc.

            The answer to your question based on an Enterprise Installation would probably be "Not Approved" by the CIO and underlings unless it did come from the Vendor.

            The more "Open Source" is commercialized the less secure it becomes because of this very reason.

            You may know that there is an open source patch/fix for your problem but getting approval to install an unknown as a Fix is both dangerous and would probably not be approved by your Vendor or your ISO so your choice is to wait for the vendor.

            You know the one that didn't know they had a problem to start with and has exposed you for God knows how long.
            dunn2
          • What a crock: "So much for "open source patching quicker".

            "Here's a list"?

            That's not a list of vulnerabilities. It's a (two year old) list of individual web sites that were affected by that one vulnerability.

            "More than four months later, hackers were actively targeting the flaw."

            So? More than four YEARS later, hackers are actively targeting flaws in Windows XP. By this logic, Microsoft fails big-time at patching.

            "So much for "open source patching quicker".

            The article doesn't say anything about patches not being available. It says the patches that are available were not being APPLIED. Stop skimming, start reading.
            bmerc
          • PHP?

            People actually use that on world-facing web sites?

            The philosophy of PHP is to make it as easy as possible to
            get a website together - along the way PHP makes it
            trivially easy to allow SQL injection, for starters.

            Anywhere you see something that makes life more
            convenient, you should expect that you're sacrificing
            security or at least stability.

            How can anyone seriously put "PHP" and "enterprise" in the
            same sentence? They're anathema to each other.
            grail1
    • Actually, No.

      It has been statistically shown in a multitude of studies that various distros of Linux as well as Apache take significantly longer to address critical security flaws than Apple or Microsoft.

      Say what you will but Microsoft actually has a proven record of patching faster than any other vendor.

      Beyond that, 99% of users and even administrators wouldn't have a clue where to start if they needed to fix a buffer overflow in a php application.
      FatherJ
      • Actually, Yes.

        >>It has been statistically shown in a multitude of studies that various distros of Linux as well as Apache take significantly longer to address critical security flaws than Apple or Microsoft.

        A multitude of Microsoft sponsored studies. As has been pointed out before, those studies only apply to security issues that Microsoft actually tells you about (just) before (or after) patching them.

        >>Say what you will but Microsoft actually has a proven record of patching faster than any other vendor.

        Yea, sure. That's why they've has such a sterling security record over the years.

        >>Beyond that, 99% of users and even administrators wouldn't have a clue where to start if they needed to fix a buffer overflow in a php application.

        Don't need to. That's what distributions are for. And while you are correct about Microsoft administrators not having a clue, most Unix/Linux administrators would. It's called knowledge.
        Hemlock Stones
        • Do some homework.

          The fact is, any known security hole is patched quicker by Microsoft than any other vendor. If it's not a known, in-the-wild flaw, then it's really irrelavant.

          Just look at the patch history of IIS vs. Apache. Since IIS 6 was released in 2003, it's had a total of 5 security advisories of which only 1 has "highly critical". All of which have been patched.

          During the same time, Apache 2.0 has had 36. Although only 1 was considered "highly critical", 4 are still unpatched.

          This is not a "Microsoft sponsored study", it is just a collection of the facts.

          Ref:
          http://secunia.com/product/1438/?task=statistics
          http://secunia.com/product/73/?task=statistics

          If you want to make other comparisons, look at the security issues with MySQL vs. Oracle or MS SQL.

          MySQL 4.0 has significant number of vulnerabilies that still remain unpatched. The answer - move to MySQL 5 which still has a number of security issues - at least they've been fixed. They total 36 vulnerabilities between the 2 over the last 5 years.

          Oracle Database 8.x & 10.x has less than half of those from MySQL (16 total). All of which have been remedied.

          Microsft SQL Sever 2000 has only 7 security advisories over an 8 year span - all of which have been addressed.

          Now...before making ignorant blanket statements, do a little homework.
          FatherJ
          • The links you provided do not support your claim

            "The fact is, any known security hole is patched quicker by Microsoft than any other vendor."

            I see no evidence of this in the links you provided.
            Nor have I ever seen anything to suggest that comparing vulnerability counts has any value.

            "If it's not a known, in-the-wild flaw, then it's really irrelavant."

            Keep telling yourself that.
            bmerc
          • I think YOU need to do a bit more homework...

            You might want to start by actually reading the notes at the bottom of the Secunia links you posted...
            Here, I'm gonna make it super-easy for you by quoting it here... I highlighted the critical piece in bold.


            "[b]PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another.[/b] It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.


            Secunia advisories often cover multiple vulnerabilities. Consequently, the number of advisories issued for a product does not always reflect the number of security issues that have been disclosed. For instance, in 2006 Secunia issued more than 5,000 advisories covering more than 9,000 vulnerabilities. This is counted AFTER removing duplicates generated by Linux distributions, issues in beta software, and what Secunia considers non-issues and fake issues that our competitors and other security vendors often write about."
            bmerc
          • Get over yourself

            It's not absolute that anything is more secure than anything else. It's obvious to anyone that it completely depends on how it is administered. The statistics don't have any definite conclusion other than open source applications have longer periods of vulnerability. People are asking about examples and I'm just pointing out that there are plenty of them.

            The disclaimer at the bottom is merely them covering their ass.
            FatherJ
        • YAWN...not another one...nt

          nt
          ItsTheBottomLine