Fortify warns open source is insecure

Business users warned to approach open source with "great caution"

Business leaders have been warned by security firm Fortify Software that increased use of open source software within the enterprise should be approached with "great caution".

In a new report, entitled "Open Source Security Study : How Are Open Source Development Communities Embracing Security Best Practices?" Fortify warned that IT chiefs should be extra vigilant when deploying open source software.

"Government and commercial organisations… should use open source applications with great caution," the report concluded.

All software development carries the risk of vulnerabilities in the code, the report noted, but the open source community trails in-house development and commercial rivals when it comes to developing enterprise-class security support, it suggested.

"Today’s enterprises are built and operated by software that comes from a variety of sources - but as we’re seeing more often, can be based on open source," said Roger Thornton, chief technology officer at Fortify.

Fortify based its analysis on a study carried out by application security consultant Larry Suto, in conjunction with Fortify's Security Research Group. Eleven open source Java applications were examined, using Source Code Analysis (the static analyser module in Fortify's recently released Fortify 360 package), including the Geronimo, JBoss and Tomcat application servers, the Struts web application framework and the OpenCMS content management solution.

These applications were then evaluated for the sophistication of their security support, including documentation and availability of support.

Fortifuy concluded that many open source applications provide inadequate access to security expertise, do not adopt a sufficiently rigorous approach to security in the development process, and do not use state-of-the-art tools to test application security.