Home » Headline, Mobile Games

Open Source Security Study: Fortify Got it Wrong

25 July 2008 No Comment

Several bloggers have already reported on the Open Source Security Study released by Fortify’s Security Research Group (and Larry Suto), but we are yet to see anyone take an in-depht look at the study itself. This is our attempt to take a closer look at the study titled “How Are Open Source Development Communities Embracing Security Best Practices?”. The study which was released as an 11-page report, is free to download from the company’s website.

We’ll analyze some of the statements and conclusions made in the report, and also look at a couple of the “Open Source Development Communities” that the study surveyed.

What led Fortify to embark on this study? According to Fortify, the study was inspired by:

  • An April 2008 survey by CIO.com showed that more than half of the respondents (53 percent) are using open source applications in their organization today, and an additional 10 percent plan to do so in the next year. For nearly half (44 percent), open source applications are considered equal to closed-source solutions during the acquisition process.
  • The European Commission’s Competition Commissioner, Neelie Kroes, recently stated that open standards, and open source, are preferable to traditional closed source software

So, favorable comments from two influential people about Open Source solutions inspired Fortify to undertake this study of 11 open source communities which were chosen because:

they are implemented in Java (the most common programming language for enterprise development, represent a wide range of application functionality, and are used extensively to build and deploy enterprise applications.

And the chosen (open source) applications are:

  • Derby
  • Geronimo
  • Hibernate
  • Hipergate
  • JBoss
  • JOnAS
  • OpenCMS
  • Resin
  • Struts
  • OFBiz
  • Tomcat

If you want to undertake a study of a certain group of applications, and given the sweeping and misleading conclusions that the report reached, I think it makes sense to make a comparative study of their closed source equivalents. But, no, Fortify chose to exclude “Freeware projects that are not open source”. And for the open source applications that they studied (see the list above), Fortify found that “few open source projects provide” access to security resources, which the study identified as:

  • documentation that covers the security implications and secure deployment of the software they develop
  • a dedicated email alias for users to report security vulnerabilities
  • or easy access to internal security experts to discuss security issues
aAAAAAAAAAA

Pages: 1 2 3

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.

You must be logged in to post an
interactive video comment.