Fortify\u2019s Security
Research Group
and Larry Suto
July 2008

10About Larry Suto
11About Fortify
11References

Open source now permeates more than 50 percent o\ue001 enterprises, and its use is growing
rapidly.1 This trend underlies an assumption held by many IT and business leaders that open
source is enterprise class in terms o\ue001 \ue001unctionality and scalability. But is it secure? How much
business risk is introduced with open source?

As a provider o\ue001 so\ue001tware security assurance tools, Forti\ue001y has o\ue001ten been drawn into the center o\ue001 the debate over this question. The use o\ue001 Forti\ue001y tools to identi\ue001y vulnerabilities in open source so\ue001tware has demonstrated that risk exists. Forti\ue001y has made attempts to reduce the risk by sharing vulnerability reports with the open source community. Yet the risk remains. In an e\ue001\ue001ort to ascertain why open source development seems resistant to in\ue001ormation on security, Forti\ue001y surveyed the open source community. (See Figure 1.) Our research revealed that open source projects lack the three essential elements o\ue001 security: people, process, and technology, thereby introducing signi\ue000cant application security risk. The study showed that many open source projects \ue001ail to:

that covers the security implications and secure deployment o\ue001 the so\ue001tware they develop, a dedicated email alias \ue001or users to report security vulnerabilities, or easy access to internal security experts to discuss security issues.

signi\ue000cant security issues, but in all but one, the total number o\ue001 security issues remained constant or increased between successive releases. This demonstrates that the projects have not adopted a success\ue001ul secure development process.

vulnerabilities, such as Cross-Site Scripting (XSS) and SQL Injection, were among the most common and serious problems identi\ue000ed, which is consistent with OWASP \ue000ndings.2 These classes o\ue001 vulnerabilities can be identi\ue000ed by enrolling in the \ue001ree Forti\ue001y Java Open Review (JOR) project or with open source tools, such as FindBugs.3 This indicates that the projects do not make use o\ue001 technology to identi\ue001y and resolve security issues.4

source applications with great caution. Risk analysis and code review should be per\ue001ormed
on any open source code running in business-critical applications, and these processes
should be repeated be\ue001ore new versions o\ue001 open source components are approved \ue001or use.

counterparts. Open source development can bene\ue000t \ue001rom private industry practices \u2014
notably those created by \ue000nancial services organizations and larger independent so\ue001tware
vendors (ISVs). Open source communities can then advertise and substantiate e\ue001\ue001ective
security practices that blend process and technology.

Forti\ue001y recently conducted a study designed to better understand the overall security o\ue001 popular
open source projects and the role o\ue001 security in their development processes. This work was
motivated by the:

(53 percent) are using open source applications in their organization today, and an additional
10 percent plan to do so in the next year. For nearly hal\ue001 (44 percent), open source
applications are considered equal to closed-source solutions during the acquisition process.5

The E\ue001ropean
Commission\u2019s
Competition
Commissioner,
Neelie Kroes,
recently stated that
open standards,
and open so\ue001rce,
are preferable to
traditional closed
so\ue001rce software.6