Richard Kirk of Fortify Software argues that many companies are leaving their businesses vulnerable through the use of open source software. Its very nature makes its security weak and both the development community and companies should become more aware of risk.

Businesses today are built and operated by software that houses intellectual property, business processes and trade secrets that are vital to the health of an enterprise. Organisations must address potential weaknesses in their everyday operations before they become exploitable.

It's the ultimate irony: the versatile software you depend on to run your business also puts it at risk. Your applications hold the business processes and the data that form the lifeblood of your company. Yet, even as they open your business up to more customers and partners, the security holes your software contains leave you vulnerable to attack. Relentless and destructive data predators are ready to pounce. Today's hackers, organised crime cartels and enemy nations are highly adept at quickly turning security flaws into stolen data and cash.

I'm not in the habit of finger pointing over flaws in packages – let's face it we all know that application bugs exist, the only real question is why?

Open source development introduces risk to your business in unique ways. The inexpensive and readily available nature of open source makes it easy to adopt, but at what cost to enterprise security?

A Fortify-sponsored Open Source Security Study published in July, completed by leading application security consultant Larry Suto, examined 11 of the most common Java open source packages. It confirmed that the most widely-used open source software packages for the enterprise are exposing users to significant and unnecessary business risk.

The study argued that Open Source Software (OSS) development communities have yet to adopt a secure development process and often leave dangerous vulnerabilities unaddressed. Additionally, it found that nearly all OSS communities fail to provide users access to security expertise to help fix these vulnerabilities and security risks. The study sparked debate on a number of topics related to OSS that anyone in IT or enterprise security should understand. The response to the report set off some familiar refrains, which miss the point and don’t get us any closer towards the goal of a secure enterprise.

Better security - open source vs proprietary

Improving the engineering process of building secure code applies to every software project, whether it is open source or 'closed' and it's not important who writes the code, but how. Any competent engineering team will be able to generate secure code if security is made a part of the design, just as they are able to bring a low-cost solution to market, or a high-performance solution.

From Fortify's vantage point it sees literally thousands of development teams and for those within IT organisations for financial and other highly-regulated industries there is a sophisticated process in place for application security. With the current open source model those experts that take the time can push vulnerabilities back to the development community for fixing or do it ourselves, but it will never be as sound as building it securely in the first place.

Security and quality are the same

Recently the icon of OSS development, Linus Torvalds, emailed the Linux development team, weighing in on the quality versus security debate. He argued that, "In fact, all the boring normal bugs are way more important, just because there's a lot more of them". Although it is true to say that quality and security are both important, I strongly disagree with Torvalds for several reasons:

quality is cumulative whilst a security is absolute
quality is about making the main path of operation work and accepting flaws on the side, whereas security must cover everything
quality is an open problem however security is closed. There is no comprehensive list of known security bugs, criminals, in particular, compile these lists and they don’t share them. Quality is reinforced by customers in the open market.

A managed risk approach

Traditionally, companies have largely depended on 'perimeter-based' approaches like network security to prevent data predators and criminals from gaining access to corporate information. However, the demands of today's open business environment weaken the protection provided by firewalls and other perimeter security efforts, leaving a corporation's applications accessible and vulnerable to hackers.

In order to mitigate the business risk created by insecure applications, it is imperative that companies adopt a process that allows them to assess, remediate and prevent security vulnerabilities in all of their business software, whatever the source. Business Software Assurance (BSA) is a growing industry trend that refers to technologies and techniques that enable you to maximise the flexibility, enhanced capabilities and easy availability of enterprise software without exposing your operations to attacks that can threaten your business. In short BSA answers the question 'How do you know your business is secure?' By identifying and resolving your most critical application vulnerabilities you can enhance software assurance.

What next?

Ultimately, the solution is developers and security experts working together to build secure software right from the start.

Recommendations for organisations relying on open source

Government and commercial organisations that leverage open source should use these applications with great caution. Risk analysis and code reviews should be performed on any open source code running in business-critical applications and these processes should be repeated before new versions of open source components are approved for use. Organisations considering open source software must thoroughly evaluate open source security practices.

Enterprises should:

• Raise security awareness within open source development communities and emphasise the importance of preventing vulnerabilities upstream. Enterprise security teams should articulate their security requirements to the open source development community and help them accelerate the adoption of secure development lifecycles
• Perform assessments to understand where your open source deployments and components stand from a security perspective
• Fix vulnerabilities

Open source development can benefit from private industry practices. Indeed those communities who do can then advertise and substantiate the effective security practices that blend process and technology. These practices include:

• People: appointment of a security expert with the power to veto releases from getting into production - known as a gate model. Develop the expertise to conduct security activities and get security right
• Process: build security in by mandating processes that it is integrated proactively throughout the software development lifecycle. Include relevant non-coding activities, such as threat modeling and the development of abuse cases
• Technologies: leverage technologies to get security right, which include static analysis in development and dynamic analysis during security testing in quality assurance

Richard Kirk is the European director of Fortify Software www.fortify.com [1]. Part of the company’s business is to provide audited versions of several open source packages. Mr Kirk invites any open source group who would like to get involved in the process of improving security as a part of the development process, to get in touch.