Network World features an article today highlighting a press release released by Fortify promoting the results of a recent Fortify study that claims open source software is a massive security risk for companies. The study evaluated 11 open source applications and claims to have found 22,826 cross-site scripting and 15,612 SQL injection issues in multiple versions of the application packages.
The study rated application server Tomcat as the most secure of the 11 products studied, with JBoss rated second. The main reason JBoss edged out the other nine was because it uses a centralized email address and contact information for reporting security vulnerabilities. The majority of the projects cited in the study are community-based projects, meaning they receive little or no funding, and are built by volunteers. Unlike corporate-owned open source projects (such as JBoss), there isn't a single point of contact for them, which explains the lack of a dedicated department or contact for these types of issues.
Obviously, Fortify has everything to gain with this study, as the company provides "products and services protect companies from the threats posed by security flaws in business-critical software applications." The more security flaws Fortify finds in applications, the more money they can make from companies who need help in fixing those flaws.
What Fortify (and Network World, by taking the press release at face value) does not understand is generally, non-hackers who discover any exploits should be smart enough to fix the problem themselves. Fortify wants to make money fixing those problems, and therefore has no interest in supporting the projects by fixing the alleged errors. Fortify would probably be happy to do so as a billable effort in providing services to a paying customer, however.
With the source code freely available, anyone can submit a fix, even if the codebase is locked down to approved committers. It isn't surprising at all that an email sent by a company who is looking for monetary gain by identifying security holes didn't receive a response from most of the projects, unless the email identified particular areas of code that need fixes.
In the interest of full disclosure, my husband, Jason Carreira, is a former Core Committer and Emeritus Project Management Committee Member for Struts.
Network World and The Industry Standard are both published by IDG.
Image via Open Source Initiative.
More news, commentary, and predictions from The Industry Standard:
- Prediction: WordPress will add data portability to its forthcoming “distributed” social networking functionality
- Prediction: Google announces plans for free open source OS
- News: XORPsource raises $5 million in first round for open-source routing software
- News: Dell offers new machines with Linux Ubuntu 8.04
Comments
While I applaud and regularly take advantage of the open source community and the spirit in which it develops, I think professional paid services are very much necessary in make open source software viable in a professional environment.
For example, if a problem is found, many times workers simply don't have the bandwidth to take on troubleshooting it and outsourcing the problem would be a better source of resources.
Its interesting to see the fee-based services market interact with free-based open source thinking.
Chris, in a lot of cases that happens, especially when it comes to projects like JBoss and MySQL, which are owned by corporate entities. But who's going to pay Fortify or a company like them to make these fixes? The whole point of Open Source is that anyone can fix a bug if they find it, or at least suggest how to fix it. If someone is smart enough to find a bug, he or she is smart enough to fix it. You can't outsource without funding.
The prevailing culture of something for nothing is cutting into it, I'm sure. But my personal feeling is that this is mostly a PR move for Fortify to market their services. How many of those 22,000-odd cross-site scripting issues are the same bug that Fortify counted based on an estimate of possible versions installed that would be fixed in just a few lines of code or even HAVE been fixed in a newer version that would be fixed by updating?
i agree with you Cyndy. They're following the money: for "organic" open source projects where the project doesn't have the funds for tools such as Fortify, they're targeting the end users of those open source projects suggesting that the end users engage the Fortify products or services. Its frustrating that this FUD is getting so much coverage in the trade press.
I've blogged on this topic at blogs.ingres.com/emmamcgrattan
It is a very widely shared misunderstanding that the free as in beer is really important. It is simply a business consequence of the more important freedom of open source, which is the freedom to fix, enhance and improve it.
The idea behind OSS is not getting the software for free (of cost), but to share the burden of development. The idea(l) is that every user does contribute somehow, by fixing the bugs that (s)he discovers (and bug him/her) and adds the features that someone feels are missing. And then there is the organization of the project team, with committers, which should be based on merits.
As recent security flaws discovered in the DNS system have shown that open source (the vast majority of implementations for DNS servers) can react rather quickly to security discoveries. And a story from today show that even the largest (and most professional) software companies can fail to consider security ahead of time (http://it.slashdot.org/article.pl?sid=08/08/08/1155208).
The Achilles heal of open source is not security but end-user documentation. Because, who is writing end-user grade professional documentation (and keeps it up to date) just to improve the working of the software for oneself? There is enough self interest to fix a security flaw and share the fix. But the task to write decent documentation is something that is either carried by altruism or as a paid service.
Post new comment