Neither Fortify nor Network World understand open source

Cyndy Aleo-Carreira — Mon, 21 Jul 2008 18:36:58 -0400

Network World features an article today highlighting a press release released by Fortify promoting the results of a recent Fortify study that claims open source software is a massive security risk for companies. The study evaluated 11 open source applications and claims to have found 22,826 cross-site scripting and 15,612 SQL injection issues in multiple versions of the application packages.

The study rated application server Tomcat as the most secure of the 11 products studied, with JBoss rated second. The main reason JBoss edged out the other nine was because it uses a centralized email address and contact information for reporting security vulnerabilities. The majority of the projects cited in the study are community-based projects, meaning they receive little or no funding, and are built by volunteers. Unlike corporate-owned open source projects (such as JBoss), there isn't a single point of contact for them, which explains the lack of a dedicated department or contact for these types of issues.

Obviously, Fortify has everything to gain with this study, as the company provides "products and services protect companies from the threats posed by security flaws in business-critical software applications." The more security flaws Fortify finds in applications, the more money they can make from companies who need help in fixing those flaws.

What Fortify (and Network World, by taking the press release at face value) does not understand is generally, non-hackers who discover any exploits should be smart enough to fix the problem themselves. Fortify wants to make money fixing those problems, and therefore has no interest in supporting the projects by fixing the alleged errors. Fortify would probably be happy to do so as a billable effort in providing services to a paying customer, however.

With the source code freely available, anyone can submit a fix, even if the codebase is locked down to approved committers. It isn't surprising at all that an email sent by a company who is looking for monetary gain by identifying security holes didn't receive a response from most of the projects, unless the email identified particular areas of code that need fixes.

In the interest of full disclosure, my husband, Jason Carreira, is a former Core Committer and Emeritus Project Management Committee Member for Struts.

Network World and The Industry Standard are both published by IDG.

Image via Open Source Initiative.

More news, commentary, and predictions from The Industry Standard:

Prediction: WordPress will add data portability to its forthcoming “distributed” social networking functionality
Prediction: Google announces plans for free open source OS
News: XORPsource raises $5 million in first round for open-source routing software
News: Dell offers new machines with Linux Ubuntu 8.04

Neither Fortify nor Network World understand open source

Cyndy Aleo-Carreira — Mon, 21 Jul 2008 18:36:58 -0400

In the interest of full disclosure, my husband, Jason Carreira, is a former Core Committer and Emeritus Project Management Committee Member for Struts.

Network World and The Industry Standard are both published by IDG.

Image via Open Source Initiative.

More news, commentary, and predictions from The Industry Standard:

Prediction: WordPress will add data portability to its forthcoming “distributed” social networking functionality
Prediction: Google announces plans for free open source OS
News: XORPsource raises $5 million in first round for open-source routing software
News: Dell offers new machines with Linux Ubuntu 8.04

Neither Fortify nor Network World understand open source

Cyndy Aleo-Carreira — Mon, 21 Jul 2008 18:36:58 -0400

In the interest of full disclosure, my husband, Jason Carreira, is a former Core Committer and Emeritus Project Management Committee Member for Struts.

Network World and The Industry Standard are both published by IDG.

Image via Open Source Initiative.

More news, commentary, and predictions from The Industry Standard:

Prediction: WordPress will add data portability to its forthcoming “distributed” social networking functionality
Prediction: Google announces plans for free open source OS
News: XORPsource raises $5 million in first round for open-source routing software
News: Dell offers new machines with Linux Ubuntu 8.04

Neither Fortify nor Network World understand open source

Cyndy Aleo-Carreira — Mon, 21 Jul 2008 18:36:58 -0400

In the interest of full disclosure, my husband, Jason Carreira, is a former Core Committer and Emeritus Project Management Committee Member for Struts.

Network World and The Industry Standard are both published by IDG.

Image via Open Source Initiative.

More news, commentary, and predictions from The Industry Standard:

Prediction: WordPress will add data portability to its forthcoming “distributed” social networking functionality
Prediction: Google announces plans for free open source OS
News: XORPsource raises $5 million in first round for open-source routing software
News: Dell offers new machines with Linux Ubuntu 8.04