Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
Fortify: open source software is a security risk for businesses
Fortify Software, a vendor of security scanning solutions, has put out a
press release saying that open source software poses security risks for
businesses, partly as a result of the lack of use of security scanning
solutions. There is an associated report available for those who
register. "The survey, sponsored by Fortify Software and completed
by leading application security consultant Larry Suto, examined 11 of the
most common Java open source packages. In order to evaluate the security
expertise offered to users and to measure the secure development processes
in place in OSS communities, Fortify interacted with open source
maintainers and examined documented open source security practices."
The whole thing may be self-serving, but there is also a real point: anybody contemplating putting software into a security-relevant setting should look at how the project handles security issues. (Log in to post comments)
Fortify: open source software is a security risk for businesses Posted Jul 22, 2008 14:14 UTC (Tue) by The_Pirate (guest, #21740) [Link] (spitting half a cup of coffee into keyboard... reading carefully, letter by letter..."open source software is a security risk for businesses"...) Ha! Haha! Hahahaha! Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha! Muahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha! Hahahahahahahahahahahahahaha(gasp)hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha.... (hitting the floor, unconscious after hyperventilating)
Fortify: open source software is a security risk for businesses Posted Jul 22, 2008 14:42 UTC (Tue) by Gollum (subscriber, #25237) [Link] I hate self-serving generalisations as much as the next guy. But the point remains that you DO get open source developers that do not care about security, and do not have the financial incentive to care, either. While it results in them losing any reputation that they may have, and it should be relatively easy to find out about their attitude through public fora and mailing lists, etc, this is the reality. One example is SQL Ledger, IIRC (reported on LWN several times), which was forked because the developers refused to address security problems.
Fortify: open source software is a security risk for businesses Posted Jul 22, 2008 15:01 UTC (Tue) by michaeljt (subscriber, #39183) [Link] If you care about security you should probably be getting your software from a third party who takes care of these issues for you (Redhat?) unless you know what you are doing. Trying to do free (as in speech!) software on the cheap will get you the same results as doing anything else on the cheap.
Fortify: open source software is a security risk for businesses Posted Jul 24, 2008 9:31 UTC (Thu) by ekj (subscriber, #1524) [Link] Sure you do. But you get -ANY- kind of software from developers that do not care about security and have scant financial incentive to care. Really. If you think otherwise, you ain't spent enough time in proprietary development-environments.
Fortify: open source software is a security risk for businesses Posted Jul 22, 2008 14:38 UTC (Tue) by rafaspol (guest, #53032) [Link] http://findbugs.sourceforge.net 'This is the web page for FindBugs (...) distributed under the terms of the Lesser GNU Public License (...) FindBugs is sponsored by Fortify Software.' I rest my case.
Fortify: open source software is a security risk for businesses Posted Jul 22, 2008 20:57 UTC (Tue) by skitching (subscriber, #36856) [Link] What exactly _is_ your case? FindBugs is an excellent tool for java programs. It is easy to use, and totally free. It isn't hugely sophisticated, but easy to run and very useful. I'm grateful to anyone or any company who contributes to the existence of FindBugs. And in at least one OSS project I'm involved in, releases have gone out for years with hundreds of FindBugs warnings or errors. Not good, but no-one seems to have the time or interest to fix them. For example, I've got the interest, but not the time. This seems to reinforce the point that for security-sensitive applications, you *do* need to look carefully at the track record of the provider, whether OSS or proprietary.
Fortify: Java software is a security risk Posted Jul 22, 2008 22:07 UTC (Tue) by ncm (subscriber, #165) [Link] No, the real point is that "anybody contemplating putting Java code into a security-relevant setting should look at how the project handles security issues." (ob-:-)
Fortify: Software is a security risk Posted Jul 22, 2008 22:45 UTC (Tue) by dwheeler (guest, #1216) [Link] The title should read "Software is a security risk".If the quality of the software is important, you should examine it before you start using it. Period.
Fortify: Java is a security risk Posted Jul 22, 2008 23:57 UTC (Tue) by ncm (subscriber, #165) [Link] Yes, but Fortify only sells Java stuff.
Fortify: open source software is a security risk for businesses Posted Jul 23, 2008 15:44 UTC (Wed) by dwheeler (guest, #1216) [Link] Here are a few comments on the report; unfortunately, there isn't enough detail in the report to see if there's anything to it or not, and there are a couple of biases and errors that make me wonder. First, it's Java-heavy. The study author sells a proprietary static analysis tool for Java, so the Java bias is understandable. But their title should have made it clear that they were only analyzing a few Java programs, and not a representative sample of major OSS projects. They also ignored the enterprise support options for these programs, which is completely unjustifiable. I think its Java bias matters. Until very recently, most Java programs required Sun's proprietary Java implementation. The FSF and others have repeatedly warned of the "Java Trap" (http://www.gnu.org/philosophy/java-trap.html) - so a very large proportion of the FLOSS community has actively ignored Java programs. Sun has recently released most of its Java implementation as FLOSS, and the most recent versions of Fedora and Ubuntu have now integrated it (through Debian hasn't), so I think we'll start to see more cooperation in Java projects. They made three claims, let's take a look at them... "Failure to Provide Access to Security Expertise... [aka] documentation that covers the security implications and secure deployment of the software they develop, a dedicated email alias for users to report security vulnerabilities, or easy access to internal security experts to discuss security issues". Odd, they seem to be ignoring the enterprise versions (e.g., Red Hat sells JBOSS support); that doesn't seem to be a fair methodology. They claim a lack of a "dedicated email alias", yet I believe many of these projects are Apache Software Foundation (ASF) projects. If you go to the ASF contact page (http://www.apache.org/foundation/contact.html) the dedicated email address for security issues is clearly listed (it is security, at, apache.org - which you could have probably guessed). Their demand for a "dedicated email alias" and "easy access to internal security experts" shows that they fail to understand that some people want totally open discussions, which these projects do support. They may not LIKE that, and actually I'd agree with them, but claiming that there's NO way to report vulnerabilities or to talk with developers seems fundamentally mistaken. I agree with them that documentation about security needs improvement, though I don't see any evidence that FLOSS is worse than proprietary software on that count. "Failure to Adopt a Secure Development Process... In virtually every project analyzed, there were a significant number of security issues that went unaddressed over three generations of releases...". It's not clear what these "issues" were. Were these REAL issues, or just reports from a static analysis tool? I wish they'd gone more into this, it's hard to say this is really true or not given their report. Often static analysis tools' reports have LOADS of false positives. As a result, it's hard to see if this is real or not. "Failure to Leverage Technology to Uncover Security Vulnerabilities: The number of security issues identified in the study - especially in the most popular open source packages - was surprising...". Again, not surprising if what is being measured is raw unanalyzed tool output. It could be that every single "vulnerability" is a false positive (not an uncommon result, unfortunately). I would agree with them that I'd like to see more projects use more tools, but a lot of FLOSS projects do use tools. For example, the Linux kernel developers ended up creating their own static analysis toolsuite because tools are normally designed to analyze applications, not kernels. The claim that this is representative of FLOSS is unfounded, since it only considers a few Java programs and ignores their enterprise support options (which is what you'd use for an enterprise!). I really wish they'd explained what they meant by issues; the problem of tool false positives is very well known, and I don't see that they really addressed that. The original said: "Government and commercial organizations that leverage open source should use open source applications with great caution. Risk analysis and code review should be performed on any open source code running in business-critical applications...". Um, let's try: "Government and commercial organizations that leverage software should use software with great caution. Risk analysis and code review should be performed on any software running in business-critical applications...". There, fixed that for you. And once again, they confuse "open source software" with "non-commercial". Essentially all free-libre / open source software (FLOSS) is commercial, see (http://www.dwheeler.com/essays/commercial-floss.html). Hopefully soon they'll stop making this mistake.
Fortify: open source software is a security risk for businesses Posted Jul 24, 2008 13:07 UTC (Thu) by ber (subscriber, #2142) [Link] David,thanks for summing up some of the most noticeable problems with the "study". Some of my comments in the same leage were published in a German article from Pressetext about the study.
Fortify: open source software is a security risk for businesses Posted Jul 26, 2008 18:37 UTC (Sat) by muwlgr (guest, #35359) [Link] I think Debian had packaged Java 1.5 into stable etch, and 1.6 into testing/unstable (although as non-free one). Where do you think Ubuntu get these packages from ?
Fortify: open source software is a security risk for businesses Posted Aug 8, 2008 23:56 UTC (Fri) by undefined (guest, #40876) [Link] debian packaged sun jdk/jre 1.5 in etch. 1.6 is in testing and will be released as lenny (hopefully later this year). but those are the sun proprietary licensed versions. matthias klose, who works for canonical, packaged icedtea and now openjdk for debian and ubuntu, but ubuntu released with it first. it might be a while until debian releases with it because the stable-release freeze has begun in testing/lenny and openjdk is stuck in unstable. since matthias works for canonical, it's no surprise that it appeared in ubuntu first. historically, icedtea was packaged for ubuntu gutsy/7.10 and installable on debian unstable/sid, but never uploaded to unstable (or even experimental, i believe). [1] openjdk 6 was released with hardy. [2] openjdk was just uploaded to unstable less than a month ago. [3] so i would agree with dave's statement that the "free" version of java is in ubuntu (since hardy and before that icedtea in gutsy), but not debian (not before last april, nor even planned for the next stable release, lenny). [1] http://lists.debian.org/debian-java/2007/08/msg00028.html [2] http://packages.ubuntu.com/search?suite=default§i... [3] http://packages.qa.debian.org/o/openjdk-6.html
In other words... Posted Jul 24, 2008 8:41 UTC (Thu) by eduperez (guest, #11232) [Link] Anyone not using our products (OSS, by example) is at risk.
Fortify: open source software is a security risk for businesses Posted Jul 26, 2008 19:31 UTC (Sat) by cde (subscriber, #46554) [Link] I have used Fortify myself (as part of my job) to audit the source code of a very large Java web application. Let me say that not only the tools is greatly overpriced, but it also produced about 98% of false positives. A manual inspection of the source would have been not only extremely less expensive, and at the same time more relevant.
Fortify: open source software is a security risk for businesses Posted Jul 27, 2008 6:22 UTC (Sun) by planner (guest, #53110) [Link] Holy crap! What a "study". A somewhat detailed response has been posted osourcemobile.com. The link is http://osourcemobile.com/2008/07/open-source-security-stu...
Fortify: open source software is a security risk for businesses Posted Sep 4, 2008 8:29 UTC (Thu) by maberdour (guest, #53737) [Link]
Richard Kirk, European Director of Fortify has penned a response to many of the rebuttals made on web to their report.
"The response to the report set off some familiar refrains, which miss the point and dont get us any closer towards the goal of a secure enterprise..."
Read the full response at http://www.contractoruk.com/003949.html
Apparently Fortify is already in discussions with open source providers with whom it is working to improve processes and Richard has invited any open source groups to get in touch. But he mentions no names or whether there are any costs involved...
|
|
||||||||||||