"Open source software can be another valuable option in today's corporate enterprises, but, just as with commercial software, vulnerabilities in software should be a point of concern for CIOs who depend on open source software to run their business," said former White House security officer Howard Schmidt.

Specifically, Fortify focused in on JBoss, OpenCMS, Tomcat, Derby, Geronimo, Jonas, OFBiz, Resin, Struts, Hibernate, and  Hipergate open source packages.  Tomcat had the best results, while the remaining 10 had numerous problems found during testing using Fortify SCA.   

JBoss received credit for providing security information on its web site and offering an easy way for users to talk with security experts, but lost out because it didn't provide a direct link in which to report bugs and security issues.

After testing was completed, Fortify identified 15,612 SQL injection problems and 22,826 total cross-site scripting security flaws with all 11 software packages.

All applications have vulnerabilities and it may be careless to try and say that open source software has any more or less security vulnerabilities than other operating systems until better studies are conducted, analysts warn.

As the number of companies beginning to adopt open source software continues to increase, these security issues must be addressed by companies operating in the open source market.  Research performed by Gartner indicates that 80 percent of commercial software by 2011 will have some type of open source influence.

Security assessments also must be completed to help companies better understand security vulnerabilities and the threats they pose to users.

A full copy of the report can be found by creating a login and downloading it from here.