A recent report from Forrester Research noted that for over 88% of respondents, security of open source software was an important concern (Source: Forrester Research: Enterprise and SMB Software Survey, 2007)
Although enterprise adoption of OSS has steadily increased, little has been done within the OSS community to implement enterprise-worthy application security measures. As a result of the survey, Fortify recommends that enterprises should follow the example of financial services companies in applying risk and coding analysis techniques to their open source software. In addition, enterprises should:
Raise security awareness within open source development communities and emphasize the importance of preventing vulnerabilities upstream. Enterprise security teams should articulate their security requirements to open source maintainers to accelerate the adoption of secure development lifecycles.
Perform assessments to understand where their open source deployments and components stand from a security standpoint.
Remediate vulnerabilities internally or leverage Fortify's Java Open Review which provides audited versions of several open source packages.
"Most open source communities do not follow enterprise-level change control standards," says Jennifer Bayuk, independent security consultant and former CISO of Bear Stearns. "There is a hidden cost for the enterprise in using open source because they have to test and patch for security bugs they don't anticipate."
"Today's enterprises are built and operated by software that comes from a variety of sources," commented Roger Thornton, founder and CTO of Fortify Software. "The software could be developed in-house, purchased off-the-shelf, outsourced, or as we're seeing more often, based on open source. In order to mitigate the business risk created by insecure applications, it is imperative that companies adopt a process that allows them to assess, remediate and prevent security vulnerabilities in all of their business software, whatever the source."
To access a copy of the survey results, please visit http://www.fortify.com/l/oss/oss_report.html. For more information on Fortify's open source initiative, Java Open Review, visit http://opensource.fortify.com.