Open Source & Security
There is a rash of articles on the web this week regarding a recent study by Fortify Inc. (a software security firm) of open source software:
Companies who opt for an open source software within their organizations could be leaving themselves open to security breaches.
That’s according to software company Fortify which has researched the implementation of several open source projects and found them lacking, with one executive suggesting that they could learn from Microsoft in how to improve security.
Is anyone else giggling a little? While this may seem funny, it is something we have to take seriously. This article from PC World is one of 8 that I have read and I’m sure that there are even more out there.
Some facts on the study. First, they researched 16 (although some reports say 11) Java-based enterprise-level applications:
- Cayenne, an object-relational mapping tool.
- Hibernate, an object-relational mapping tool.
- Derby, an application server.
- Geronimo, an application server.
- Hipergate, a Web-based customer relationship management
application. - JBoss, an application server.
- Jonas, an application server.
- Jbopen source, an application server.
- Ofbiz, a Web-based CRM application.
- OpenJMS, a Java Message Service solution.
- OpenCMS, a content management tool.
- Resin, an application server.
- Shale, JSF Web framework.
- Struts, a Web application.
- Tomcat, a servlet engine.
- Webharvest, a Web crawler.
Next, I haven’t seen any reports where Fortify compared these results to proprietary counterparts.
The fact of the matter is that all software has security issues. And anyone using Windows or Internet Explorer knows all about that. I should mention (since I mentioned IE) that Fortify did state that open source developers should follow the model that Mozilla is using since Firefox is so well developed and secure.
I think that Cyndy Aleo-Carreira puts it best in her response to the report:
Obviously, Fortify has everything to gain with this study, as the company provides “products and services protect companies from the threats posed by security flaws in business-critical software applications.” The more security flaws Fortify finds in applications, the more money they can make from companies who need help in fixing those flaws.
What Fortify (and Network World, by taking the press release at face value) does not understand is generally, non-hackers who discover any exploits should be smart enough to fix the problem themselves. Fortify wants to make money fixing those problems, and therefore has no interest in supporting the projects by fixing the alleged errors. Fortify would probably be happy to do so as a billable effort in providing services to a paying customer, however.
With the source code freely available, anyone can submit a fix, even if the codebase is locked down to approved committers.
Having been monitoring an open source mailing list and developer community for the last 5 months, I can tell you that they are constantly considering the most secure way to resolve problems and if someone can’t come up with a good way to do it, there is always someone to pick up the slack.
The shame of it is that people will see these types of reports and just assume that all open source is insecure - and suddenly forget about that virus that made them lose all of their family pictures last year or the fact that the last time they received a patch from their proprietary vendor was 2 years ago. All software has it’s issues - it’s programmed by humans - and humans aren’t perfect, but I do have to say that I much prefer the open source development model to the others.