|
Open source now permeates more than 50 percent of enterprises, and its use is growing rapidly.1 This trend underlies an assumption held by many IT and business leaders that open source is enterprise class in terms of functionality and scalability. But is it secure? How much business risk is introduced with open source?
As a provider of software security assurance products, Fortify has often been drawn into the center of the debate over this question. The use of Fortify products to identify vulnerabilities in open source software has demonstrated that risk exists. Fortify has made attempts to reduce the risk by sharing vulnerability reports with the open source community. Yet the risk remains. In an effort to ascertain why open source development seems resistant to information on security, Fortify surveyed the open source community. (See Figure 1.) Our research revealed that open source projects lack the three essential elements of security: people, process, and technology, thereby introducing significant application security risk.
The study showed that many open source projects fail to:
1. Provide Access to Security Expertise: Few open source projects provide documentation that covers the security implications and secure deployment of the software they develop, a dedicated email alias for users to report security vulnerabilities, or easy access to internal security experts to discuss security issues.
Open Source Security Study WWW.FORTIFY.COM 3
2. Adopt a Secure Development Process: Not only did every project that we scanned contain significant security issues, but in all but one, the total number of security issues remained constant or increased between successive releases. This demonstrates that the projects have not adopted a successful secure development process.
3. Leverage Technology to Uncover Security Vulnerabilities: Well-known security vulnerabilities, such as Cross-Site Scripting (XSS) and SQL Injection, were among the most common and serious problems identified, which is consistent with OWASP findings.2 These classes of vulnerabilities can be identified by enrolling in the free Fortify Java Open Review (JOR) project or with open source products, such as FindBugs.3 This indicates that the projects do not make use of technology to identify and resolve security issues.4
These findings provide a call-to-action for organizations that rely on open source software. Specifically, Fortify recommends:
• Government and commercial organizations that leverage open source should use open source applications with great caution. Risk analysis and code review should be performed
on any open source code running in business-critical applications, and these processes should be repeated before new versions of open source components are approved for use.
• Open source projects should adopt robust security practices from their commercial counterparts. Open source development can benefit from private industry practices — notably those created by financial services organizations and larger independent software vendors (ISVs). Open source communities can then advertise and substantiate effective security practices that blend process and technology.
Introduction
Fortify recently conducted a study designed to better understand the overall security of popular open source projects and the role of security in their development processes. This work was motivated by the:
Rapid growth in the adoption of open source among enterprises
• An April 2008 survey by CIO.com showed that more than half of the respondents
(53 percent) are using open source applications in their organization today, and an additional
10 percent plan to do so in the next year. For nearly half (44 percent), open source applications are considered equal to closed-source solutions during the acquisition process.5
• The European Commission’s Competition Commissioner, Neelie Kroes, recently stated that open standards, and open source, are preferable to traditional closed source software.6
The European Commission’s Competition Commissioner, Neelie Kroes, recently stated that open standards, and open source, are preferable to traditional closed source software.6
Open Source Security Study WWW.FORTIFY.COM 4
Rising number of attacks targeted at the application layer
• Today’s hackers are going after applications. Gartner has reported that 75 percent of hacks take place at the application layer.7
• The US Air Force, for example, has seen application layer attacks increase from 2 percent
in 2004 to 33 percent in 2006.8
Fortify software has worked with organizations around the world that are committed to Business Software Assurance as demonstrated through improved software development processes. A few years ago, this was limited to the elite, which typically included members of the global financial services and military communities. Today, we are witnessing a surge in adoption of secure development practices across organizations, both large and small, in a wide range of industries. This widespread adoption of security processes has helped to raise the bar for security. It is no longer acceptable for businesses to ignore the risk that open source software can introduce, nor is it adequate for open source projects to disregard the
role security plays in their development process.
|
