Study: OSS Communities Are Often Slackers in Security

The study, released Monday, concludes that open source software (OSS) development communities have yet to adopt a secure development process and often leave dangerous vulnerabilities unaddressed. Additionally, the study found that nearly all OSS communities fail to provide users access to security expertise to help fix these vulnerabilities and security risks.

The survey, sponsored by Fortify and completed by application security consultant Larry Suto, examined 11 of the most common Java open source packages.

"The findings startled us. We found numerous vulnerabilities in the open source packages tested. Communities lack a process for testing security. When enterprise users adopt these software packages, they get substantial risk," Jacob West, manager of security for the research group at Fortify, told LinuxInsider.

Testing Parameters

Fortify decided to conduct the security test for several reasons. The use of open source software in enterprise is expanding rapidly. The company sees strong adoption of numerous core packages, and its customers were pushing to know about inherent risks associated with their choices, said West.

In order to evaluate the security expertise offered to users and to measure the secure development processes in place in OSS communities, Fortify interacted with open source maintainers and examined documented open source security practices. The company downloaded multiple versions of each package and scanned them for vulnerabilities using Fortify SCA (the company's static analyzer). In addition, testers performed manual scannings on security-sensitive areas of code.

The security testing focused primarily on non-commercially supported open source packages, West said.

Biggest Faults

Two major concerns topped Fortify's list of findings. These are consistent with community-developed software and are not typically found with commercial open source products.

One is the absence of any procedures for reporting bugs or security flaws. The other is the lack of any secure guidelines on how to use the software safely.

"Open source software is an Achilles' heel in today's corporate enterprises and should be a significant concern for CIOs who depend on open source software to run their business," said Howard Schmidt, former cyber-security adviser to the White House. "This is an endemic issue that starts in the open source community, and while open source software faces the same vulnerabilities as commercial or in-house developed software, there just aren't the mechanisms in place to influence a secure development process."

No Offense

Fortify officials hope the open source community will respond positively to the findings.

"We're not trying to indict communities for something they do not have the money to fix," said West. "We have no real concerns about a negative reaction to the study findings."

At the same time, enterprise users of open source software need to understand the risks involved, according to the company. They have to pay the price to make sure what they use is secure, West added.

Adoption Concerns

The security weakness Fortify spotlights should serve as a wake-up call for the open source industry, as the growth of open source in industry is continuing at a steady pace, West noted.

"Its growth is unstoppable," he said. "Trying to stop it would be like standing in front of a tidal wave."

Recent industry reports support that growth trend. Research firm Gartner (NYSE: IT) reported that by 2011, 80 percent of commercial software will include elements of open source technology. A report from Forrester Research noted that for over 88 percent of respondents, security of open source software was an important concern.

Proactive Steps

As a result of the survey, Fortify recommends that enterprises should follow the example of financial services companies in applying risk and coding analysis techniques to their open source software, West said. In addition, enterprises should raise security awareness within open source development communities and emphasize the importance of preventing vulnerabilities upstream.

Enterprise security teams should also perform assessments to understand where their open source deployments and components stand from a security standpoint, according to the firm. To that end, Fortify's Java Open Review provides audited versions of several open source packages.

"Most open source communities do not follow enterprise-level change control standards," says Jennifer Bayuk, independent security consultant and former CISO of Bear Stearns. "There is a hidden cost for the enterprise in using open source because they have to test and patch for security bugs they don't anticipate."