Fortify Software, a vendor of security scanning solutions, has put out a
saying that open source software poses security risks for
businesses, partly as a result of the lack of use of security scanning
solutions. There is an associated report available for those who
register. "The survey, sponsored by Fortify Software and completed
by leading application security consultant Larry Suto, examined 11 of the
most common Java open source packages. In order to evaluate the security
expertise offered to users and to measure the secure development processes
in place in OSS communities, Fortify interacted with open source
maintainers and examined documented open source security practices.
The whole thing may be self-serving, but there is also a real point:
anybody contemplating putting software into a security-relevant setting
should look at how the project handles security issues.
to post comments)