How are Open Source Development Communities Embracing Security Best Practices?

Open Source Security StudyHow Are Open Source Development Communities
Embracing Security Best Practices?
Fortify's Security Research Groupand Larry SutoJuly 2008 Open Source Security Study WWW.FORTIFY.COM 1Open Source Security StudyHow Are Open Source Development Communities Embracing Security Best Practices?
Table of Contents
3 Introduction4 Study Methodology5 Key Findings9 Conclusions10 About Larry Suto11 About Fortify11 References
Executive Summary
Open source now permeates more than 50 percent of enterprises, and its use is growing 1rapidly. This trend underlies an assumption held by many IT and business leaders that open source is enterprise class in terms of functionality and scalability. But is it secure? How much business risk is introduced with open source? As a provider of software security assurance products, Fortify has often been drawn into the center of the debate over this question. The use of Fortify products to identify vulnerabilities in open source software has demonstrated that risk exists. Fortify has made attempts to reduce the risk by sharing vulnerability reports with the open source community. Yet the risk remains. In an effort to ascertain why open source development seems resistant to information on security, Fortify surveyed the open source community. (See Figure 1.) Our research revealed that open source projects lack the three essential elements of security: people, process, and technology, thereby introducing significant application security risk. The study showed that many open source projects fail to: 1. P rovide Access to Security Expertise: Few open source projects provide documentation that covers the security implications and secure deployment of the software they develop, a dedicated email alias for users to report security vulnerabilities, or easy access to internal security experts to discuss security issues.
Open Source Security Study WWW.FORTIFY.COM 22. A dopt a Secure Development Process: Not only did every project that we scanned contain The European significant security issues, but in all but one, the total number of security issues remained Commission's constant or increased between successive releases. This demonstrates that the projects have not adopted a successful secure development process. Competition Commissioner, 3. Leverage Technology to Uncover Security Vulnerabilities: Well-known security vulnerabilities, such as Cross-Site Scripting (XSS) and SQL Injection, were among the most Neelie Kroes, 2common and serious problems identified, which is consistent with OWASP findings. These recently stated that classes of vulnerabilities can be identified by enrolling in the free Fortify Java Open Review 3open standards, (JOR) project or with open source products, such as FindBugs. This indicates that the 4and open source, projects do not make use of technology to identify and resolve security issues. are preferable to These findings provide a call-to-action for organizations that rely on open source software. traditional closed Specifically, Fortify recommends:6source software. . Government and commercial organizations that leverage open source should use open source applications with great caution. Risk analysis and code review should be performed on any open source code running in business-critical applications, and these processes should be repeated before new versions of open source components are approved for use. . Open source projects should adopt robust security practices from their commercial counterparts. Open source development can benefit from private industry practices - notably those created by financial services organizations and larger independent software vendors (ISVs). Open source communities can then advertise and substantiate effective security practices that blend process and technology.

Introduction
Fortify recently conducted a study designed to better understand the overall security of popular open source projects and the role of security in their development processes. This work was motivated by the:Rapid growth in the adoption of open source among enterprises. An April 2008 survey by CIO.com showed that more than half of the respondents (53 percent) are using open source applications in their organization today, and an additional 10 percent plan to do so in the next year. For nearly half (44 percent), open ... [download for more]