Open source could learn from Microsoft

Companies who opt for an open source software within their organisations could be leaving themselves open to security breaches.

That's according to software company Fortify which has researched the implementation of several open source projects and found them lacking, with one executive suggesting that they could learn from Microsoft in how to improve security.

The research completed by security consultant Larry Suto, examined 11 of the most common Java open source packages. Fortify worked with open source maintainers and examined documented open source security practices to evaluate the level of security. The results were disappointing: the Fortify study found that many Open Source Software (OSS) development communities have not yet adopted a secure development process and often leave dangerous vulnerabilities unaddressed.

Rob Rachwald, Fortify's director of product marketing said that open source developers should be prepared to learn from companies like Mozilla, which has recently hired Rich Mogull as its security chief.

Even Microsoft could be help up as an example of good security practice. Rachwald said that had improved its security policies no end, “It's a company that used to be severely slammed for its security procedures but, following the 2002 Trustworthy Computing memofrom Bill Gates, that's all changed. Gates simply said 'if it's a choice between functionality and security, always choose security' and the company has changed its mindset, said Rachwald.

He added that proprietary software developers tended to think far more about security issues than open source developers did – although he conceded that this wasn't always the case.

Rachwald said that a lot of the developers' problems started with their initial training. “The problem starts with the developers themselves and in particular with their education. “They've normally majored in computer science and just haven't had the grounding in security issues.”

He said that it was true that the openness of open source projects would help secure vulnerabilities. But, he said, companies should ask themselves what would they rather be “great at fixing security problems or preventing those problems from happening in the first place.”

According to Fortify, there are three key ways to improve the security of open source projects: first, appoint a security expert, someone with a thorough understanding of security issues. ”The difference between you and me and a security expert,”said Rachwald, “is that you and I enter a shop and think about what we could buy, the security expert enters and thinks about what he could steal.”

Second, build security processes within the software development lifecycle and third, use the correct tools to test the security procedures.