Widely-used open source software packages are not employing best practices for securing code, warns business security specialist Fortify Software.
Its Open Source Security Study reveals that the most widely-used software packages for business use are exposing users to “significant and unnecessary business risk”.
The research suggests that OSS development communities have yet to adopt a secure development process and “often leave dangerous vulnerabilities unaddressed”.
Additionally, it finds that nearly all OSS communities fail to provide users access to security expertise to help remediate these vulnerabilities and security risks.
“Open source software can be another valuable option in today’s corporate enterprises, but, just as with commercial software, vulnerabilities in software should be a point of concern for CIOs who depend on open source software to run their business,” comments Howard Schmidt, former cyber security advisor to the White House.
“This is an endemic issue that starts in the open source community and, while open source software faces the same vulnerabilities as commercial or in-house developed software, the mechanisms to test and analyse code need to be done with great rigor in open source communities to influence a secure development process,” he adds.
Fortify is recommending that manufacturing companies follow the example of the financial services sector in applying risk and coding analysis techniques to their open source software.
In addition, it says they should:
Raise security awareness within open source development communities and emphasize the importance of preventing vulnerabilities upstream.
Articulate their security requirements to open source maintainers to accelerate the adoption of secure development lifecycles.
Perform assessments to understand where their open source deployments and components stand from a security standpoint.
Remediate vulnerabilities internally or harness Fortify’s Java Open Review, which provides audited versions of several open source packages.
“Today’s enterprises are built and operated by software that comes from a variety of sources,” says Roger Thornton, founder and CTO of Fortify Software. “The software could be developed in-house, purchased off-the-shelf, outsourced, or as we’re seeing more often, based on open source.
“In order to mitigate the business risk created by insecure applications, it is imperative that companies adopt a process that allows them to assess, remediate and prevent security vulnerabilities in all of their business software, whatever the source.”