Security experts say Tories misguided on open source software

“The Conservatives have accused the government of failing to capitalise on open source software, despite reports from government agencies that have recommended its usage,” observes Richard Kirk, vice president and general manager of software security assurance specialist Fortify Software. “Our own research, however, has concluded that open source software exposes users to significant and unnecessary business risk, as security is often overlooked, making users more vulnerable to security breaches,” he adds. “That’s not to say that commercial software isn’t without risks, but any flaws on commercial applications tend to get patched a lot faster than on open source, as the vendors producing the software have a lot more to lose than an open source programmer.” Fortify’s sponsored report, released last summer, looked at 11 of the most common Java open source packages, scanning them using Fortify SCA, the static analyser in Fortify 360. Manual code scanning was also carried out on security-sensitive areas of code. Kirk concedes that the boundaries between commercial and open source applications are blurring. He agrees, for example, with analyst Gartner’s assessment that, by 2011, 80% of commercial software will have elements of open source technology, For now, however, he insists that, although open source may appears a more logical choice over commercial applications, in terms of direct costs, the less tangible costs associated with ruggedising it for secure industrial usage can often outweigh the direct cost savings.