If security is your top priority, think twice before turning to an open source solution, says an application security solutions vendor.Fortify Software Inc. of San Mateo, Calif., released its Open Source Security Study this week, finding that some of the most popular and widely used Java-based open source software packages expose companies to significant risk. Independent consultant Larry Suto also was involved in the project.
The study found that open source projects often fail to document security implications and the specifics of secure deployment. These projects also often don’t adopt a secure development process and adequately uncover security vulnerabilities like Cross-Site Scripting (XSS) and SQL Injection.
But there are valid reasons for using open source software. If you choose to do so, the most important action a company can take is to identify a dedicated security expert on staff and actively encourage that person to add skills through training and education. Fortify also recommends conducting a thorough risk analysis and code review on any open source code running in business-critical applications.
Companies also should raise security awareness within open source development communities and emphasize the importance of preventing vulnerabilities upstream, the study said. Other advice included performing assessments to understand where your open source deployments and components stand from a security perspective and remediate any vulnerabilities.
There are also specific actions companies should take around people, processes and technologies. On the people front, consider appointing a security expert with the power to veto releases from getting into production. On the process side, build security in by mandating processes that integrate security proactively throughout the software development lifecycle. For technology, make sure you use technologies that “get security right”, including static analysis in development and dynamic analysis during security testing in quality assurance.
