Open source should be treated with "great caution"

 

Gallery

By Stuart Turton

Posted on 21 Jul 2008 at 13:22

A new report has damned the security of open-source software, claiming that "government and commercial organisations that leverage open source should use it with great caution."

The report, sponsored by security company Fortify, claims to have examined 11 of the most common Java open-source packages in use by enterprises today, including Geronimo, JBoss and OpenCMS, finding serious security flaws such as SQL Injection vulnerabilities in all of them.

The report further alleges that not only is open-source software inherently unsafe, but that developers are also failing to correct flaws once identified - with vulnerabilities persisting across new software releases.

"Not only did every project that we scanned contain significant security issues, but in all but one, the total number of security issues remained constant or increased between successive releases."

Fortify also claims that it has attempted to share its security findings with the open-source community, but has found that "open-source development seems resistant to information on security."

Unsurprisingly, Fortify goes on to recommend that organisations looking to implement open source should first perform a code review to test security, something the company specialises in.

The report is sure to stoke a few tempers in the open-source community, which is riding an unprecedented high in both enterprise and consumers markets, with a recent report from CIO suggesting that 53% of all enterprises now utilise open-source applications.

Last week, Linus Torvalds tore into open-source security zealots, claiming that OpenBSD developers in particular concentrated "on security to the point where they pretty much admit that nothing else matters to them."