Open source 'lacks enterprise-grade security'

The security practices of open-source IT developers should lead enterprises to think twice before using open-source software, according to a new study sponsored by security tools vendor Fortify.

The study, carried out by application security consultant Larry Suto, found that a lack of security processes led to a constant or increasing number of security issues in successive open-source releases.

As a result, government and commercial organisations should approach open-source applications with "great caution", carrying out risk analysis and code review before it is used, Fortify said.

The company argued that open-source development simply does not live up to enterprise security standards. Fortify quoted Jennifer Bayuk, an independent security consultant, as saying that open source implies a "hidden cost" due to the necessity of testing for security bugs.

The study is likely to reopen the debate around the relative security of proprietary and open-source software.

Independent software vendors (ISVs) selling proprietary software have claimed that the open-source development process exposes open-source software to greater security risks, while open-source developers argue that the openness of the process allows for more security flaws to be caught.

The study examined software for developing and serving Java applications, including Geronimo, JBoss, Struts and Tomcat. It found that all or nearly all of the projects examined failed to provide access to an internal security expert, reduce the number of security flaws in successive releases or make use of bug-catching tools such as FindBugs or Fortify's own Java Open Review (JOR).

As a result, bugs such as SQL injection and cross-site scripting (XSS) continue to proliferate, Fortify said.

"Open-source packages often claim enterprise-class capabilities but are not adopting — or even considering — industry best-security practices," the study said. "Serious security threats stemming from numerous application vulnerabilities are a direct result of poor or non-existent security processes."

One exception is Mozilla, which in July announced a security initiative and hired security consultant Rich Mogul as an adviser. But more projects need to follow Mozilla's lead or, better yet, follow the lead of proprietary ISVs in improving security practices, Fortify said.

"Open-source development can benefit from private industry practices — notably those created by financial services organisations and larger independent software vendors," the report said.

Not everyone agrees that security should be the priority Fortify takes it to be. Last week Linux creator Linus Torvalds criticised the makers of the OpenBSD operating system as part of a critique of what he said was self-centred behaviour in the IT security industry.

The row erupted in the Gmane mailing list after a developer for the PaX Team, which patches the Linux kernel, accused Torvalds and other top Linux kernel developers of "covering up [the] security impact of bugs" by not clearly labelling them as security flaws. Torvalds wrote that disclosing the bug itself was enough, without having to label each individual security flaw. He added that taking the bugs to the "security circus" level only glorified the wrong kind of behaviour.

A May study funded by the US Department of Homeland Security praised improvements in open-source security. A recent survey found that unsupported open source software was one of the top causes of security breaches.