You are here: Home > News > Article
Home
Business & Finance
News
U.S.
Politics
International
Technology
Entertainment
Sports
Lifestyle
Oddly Enough
Health
Science
Special Coverage
Video
Pictures
Your View
The Great Debate
Blogs
Weather
Reader Feedback
Do More With Reuters
RSSRSS Feed
Widgets
Mobile
Podcasts
Newsletters
Your View
Partner Services
CareerBuilder
Affiliate Network
Professional Products
Support (Customer Zone)
Reuters Media
Financial Products
About Thomson Reuters

Rising Enterprise Adoption of Open Source Software is Putting Businesses At Greater...

Mon Jul 21, 2008 6:00am EDT
 
[-] Text [+] 
Rising Enterprise Adoption of Open Source Software is Putting Businesses At
Greater Risk
New data from Fortify Software finds that widely-used open source software
packages do not employ best practices for securing code

SAN MATEO, Calif., July 21 /PRNewswire/ -- Fortify Software, Inc., the
market leader in enterprise application security solutions for business
software assurance, released today its Open Source Security Study which
reveals that the most widely-used open source software packages for the
enterprise are exposing users to significant and unnecessary business risk.
The study validates that Open Source Software (OSS) development communities
have yet to adopt a secure development process and often leave dangerous
vulnerabilities unaddressed. Additionally, the study found that nearly all OSS
communities fail to provide users access to security expertise to help
remediate these vulnerabilities and security risks.
    "Open source software can be another valuable option in today's corporate
enterprises, but, just as with commercial software, vulnerabilities in
software should be a point of concern for CIOs who depend on open source
software to run their business," said Howard A. Schmidt, former cyber security
advisor to the White House.  "This is an endemic issue that starts in the open
source community, and while open source software faces the same
vulnerabilities as commercial or in-house developed software, the mechanisms
to test and analyze software code need to be done with great rigor in open
source communities to influence a secure development process."
    The survey, sponsored by Fortify Software and completed by leading
application security consultant Larry Suto, examined 11 of the most common
Java open source packages.  In order to evaluate the security expertise
offered to users and to measure the secure development processes in place in
OSS communities, Fortify interacted with open source maintainers and examined
documented open source security practices. Additionally, multiple versions of
each package were downloaded and scanned for vulnerabilities using Fortify SCA
(the static analyzer found in Fortify's security suite, Fortify 360). Manual
scanning was also executed on security-sensitive areas of code.
    Increased enterprise adoption of open source is evidenced by reports from
a number of leading analyst firms, including Gartner, which recently reported
that by 2011, 80% of commercial software will include elements of open source
technology (Gartner, The State of Open Source 2008," April 2008).
Additionally, an April 2008 survey from CIO reported that more than half of
its respondents are using open source applications in their organizations
today(1). A recent report from Forrester Research noted that for over 88% of
respondents, security of open source software was an important concern
(Source:  Forrester Research:  Enterprise and SMB Software Survey, 2007)
    Although enterprise adoption of OSS has steadily increased, little has
been done within the OSS community to implement enterprise-worthy application
security measures.  As a result of the survey, Fortify recommends that
enterprises should follow the example of financial services companies in
applying risk and coding analysis techniques to their open source software.
In addition, enterprises should:
    --  Raise security awareness within open source development communities
and emphasize the importance of preventing vulnerabilities upstream.
Enterprise security teams should articulate their security requirements to
open source maintainers to accelerate the adoption of secure development
lifecycles.
    --  Perform assessments to understand where their open source deployments
and components stand from a security standpoint.
    --  Remediate vulnerabilities internally or leverage Fortify's Java Open
Review which provides audited versions of several open source packages.
    "Most open source communities do not follow enterprise-level change
control standards," says Jennifer Bayuk, independent security consultant and
former CISO of Bear Stearns. "There is a hidden cost for the enterprise in
using open source because they have to test and patch for security bugs they
don't anticipate."
    "Today's enterprises are built and operated by software that comes from a
variety of sources," commented Roger Thornton, founder and CTO of Fortify
Software.  "The software could be developed in-house, purchased off-the-shelf,
outsourced, or as we're seeing more often, based on open source.  In order to
mitigate the business risk created by insecure applications, it is imperative
that companies adopt a process that allows them to assess, remediate and
prevent security vulnerabilities in all of their business software, whatever
the source."
    To access a copy of the survey results, please visit
http://www.fortify.com/l/oss/oss_report.html.  For more information on
Fortify's open source initiative, Java Open Review, visit
http://opensource.fortify.com.
    Visit https://www1.gotomeeting.com/register/929272775 to register for the
webinar, "A CISO's Guide to Securing Open Source Software."
    About Fortify Software, Inc.
    Fortify(R)'s Business Software Assurance products and services protect
companies from the threats posed by security flaws in business-critical
software applications. Its software security suite -- Fortify 360 -- drives
down costs and security risks by automating key processes of developing and
deploying secure applications. Fortify Software's customers include government
agencies and FORTUNE 500 companies in a wide variety of industries, such as
financial services, healthcare, e-commerce, telecommunications, publishing,
insurance, systems integration and information management. The company is
backed by world-class teams of software security experts and partners. More
information is available at http://www.fortify.com.
    (1) See
http://cio.com/article/375916/Open_Source_is_Entering_the_Enterprise_Mainstrea
m_Survey_Shows
SOURCE  Fortify Software, Inc.

Katherine Nellums of Merritt Group, Inc., +1-415-247-1663,
Nellums@merrittgrp.com, for Fortify Software, Inc.

 

Editor's Choice

Labourers work at a riverfront construction site near the Sabarmati river in the western Indian city of Ahmedabad July 2, 2009. REUTERS/Amit Dave SlideshowSlideshow 

A selection of our best photos from the past 24 hours.  Slideshow 

Most Popular on Reuters

  • Articles
  • Video

We want to hear from you

Join the Reuters Consumer Insight Panel and help us get to know you better

Join the Reuters Consumer Insight Panel and help us get to know you better

Please take a moment to complete our survey