backtop

Print E-mail del.icio.us 6 comment(s) - last by MatthiasF.. on Jul 28 at 12:49 PM
Open source software, while possibly still more secure than Windows, still has its own security issues to deal with

Security experts have long chided Microsoft because of major security vulnerabilities and its patch Tuesday where it releases numerous security patches. However, enterprise Linux distributions also have security issues that must be resolved.

"Open source software can be another valuable option in today's corporate enterprises, but, just as with commercial software, vulnerabilities in software should be a point of concern for CIOs who depend on open source software to run their business," said former White House security officer Howard Schmidt.

Specifically, Fortify focused in on JBoss, OpenCMS, Tomcat, Derby, Geronimo, Jonas, OFBiz, Resin, Struts, Hibernate, and  Hipergate open source packages.  Tomcat had the best results, while the remaining 10 had numerous problems found during testing using Fortify SCA.   

JBoss received credit for providing security information on its web site and offering an easy way for users to talk with security experts, but lost out because it didn't provide a direct link in which to report bugs and security issues.

After testing was completed, Fortify identified 15,612 SQL injection problems and 22,826 total cross-site scripting security flaws with all 11 software packages.

All applications have vulnerabilities and it may be careless to try and say that open source software has any more or less security vulnerabilities than other operating systems until better studies are conducted, analysts warn.

As the number of companies beginning to adopt open source software continues to increase, these security issues must be addressed by companies operating in the open source market.  Research performed by Gartner indicates that 80 percent of commercial software by 2011 will have some type of open source influence.

Security assessments also must be completed to help companies better understand security vulnerabilities and the threats they pose to users.

A full copy of the report can be found by creating a login and downloading it from here.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Poorly Written
By wht1986 on 7/24/2008 12:02:47 PM , Rating: 5
I have no issue with the meat per se of the article. Eleven open source software packages found to have so many sql injection holes.

What grinds my gears is wording of the article.

"Open source software, while possibly still more secure than Windows, still has its own security issues to deal with" is based on what? The open source packages tested are not operating systems. Most are web servers or applications. Perhaps something like "Open source software, while possibly still more secure than their Windows equivalents ..."

Same with the line "open source software has any more or less security vulnerabilities than other operating systems". Comments like this imply that open source software has to be an operating system.

I'm not a fanboi of either windows or linux and run both depending on the application. I like all things geeky and techie, and this article was not one.

You were reaching for a connection from Gartner's testing to the OS debate. I think you should have stuck with what the testing really means. These 11 pieces of software still had a lot of security holes, and because so much commercial software has some roots from the open source software pool, there is a good chance it may seep into that arena as well.




RE: Poorly Written
By MatthiasF on 7/28/2008 12:49:22 PM , Rating: 2
What annoys me is that all of the products mentioned are JAVA-BASED open source products. Why isn't that mentioned?

JBoss - Java web application suite
OpenCMS - Java based web CMS suite
Tomcat - Java webserver
Derby - Java database server
Geronimo - Another java webserver
Jonas - Another java webserver
OFBiz - Java based ERP/CRM/etc/etc web suite
Resin - Another java based webserver
Struts - Another java based webserver
Hibernate - Another java based webserver
Hipergate - Java based CRM/Groupware suite

Could it be, since so many of them run off Apache Tomcat code, that every single security issue mentioned is really stemming from a short list of issues but is compounded on purpose by using multiple products running the same code to make the issue look bigger?


Blasphemy
By pauldovi on 7/24/2008 11:40:42 AM , Rating: 1
You mean to tell me Linux isn't perfect?




RE: Blasphemy
By Screwballl on 7/24/2008 1:29:27 PM , Rating: 2
No this is not Linux, it is open source software... they may have tested it on Windows 2000 or Server 2003 for all we know... there was no mention of what OS they tested this on...
There is plenty of open source software that is available for Windows and OSX as well... but what they do not tell you is that an open source program may have a security flaw or be the CAUSE of a security flaw in Windows, it can be 99.9999% secure when used in Linux.


Security firm report?
By JAB on 7/24/2008 12:13:49 PM , Rating: 2
OK so a security firm finds that you need to protect yourself with Open source. The horror wwou would have beleveled someone like them would report suck a thing. It might dry up their business after all.




This is "news"?
By oab on 7/27/2008 12:46:06 AM , Rating: 2
I know it's a blog but... it's pretty self-evident.

Open-source software has security flaws. No kidding. So does closed-source. Immediately making something open-source does not make it instantly invulnerable to flaws.




"Game reviewers fought each other to write the most glowing coverage possible for the powerhouse Sony, MS systems. Reviewers flipped coins to see who would review the Nintendo Wii. The losers got stuck with the job." -- Andy Marken

DailyTech Poll
Do you use copy/paste on your smartphone? 




17 Comments









botimage
Copyright 2010 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki