Many people will claim that the “openness” of open source software helps make it secure. With an entire community given access to all of the code, it makes sense that programming errors or security issues would be recognized often. And thanks to tools like Findbugs, many issues are found and fixed before, during, and after a product is released. Products that rely on security through obscurity or snake oil solutions generally fail to hold up in an open source environment… but I think this can be a double edged sword.

With the common perception of open source software as being “more secure” than their closed source counterparts, there also exists the possibility for people (and companies) to place too much faith in them.

According to this study (pdf) done by Fortify (which examined a number of OSS applications for potential security vulnerabilities):

...serious security threats stemming from numerous application vulnerabilities are a direct result of poor or nonexistent security processes. This follow-up survey found that security best practices are a low priority to the open source projects surveyed/community. Yet open source packages often claim enterprise-class capabilities but are not adopting — or even considering — industry best security practices.

Although some bias exists in the report (they only examined Java applications which they used to make some fairly broad generalizations), the data holds a lot of significance. As more and more companies embrace OSS as a component in their software solutions, they must be careful not to also embrace the perception of inherent security. Secure software depends on a lot more than the openness of its source code.

This entry was posted on Tuesday, July 29th, 2008 at 9:36 pm by Nick Staples and is filed under software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.