Menu
Open source could learn from Microsoft

Open source could learn from Microsoft

Companies who opt for an open source software within their organizations could be leaving themselves open to security breaches.

That's according to software company Fortify which has researched the implementation of several open source projects and found them lacking, with one executive suggesting that they could learn from Microsoft in how to improve security.

The research completed by security consultant Larry Suto, examined 11 of the most common Java open source packages. Fortify worked with open source maintainers and examined documented open source security practices to evaluate the level of security. The results were disappointing: the Fortify study found that many Open Source Software (OSS) development communities have not yet adopted a secure development process and often leave dangerous vulnerabilities unaddressed

Rob Rachwald, Fortify's director of product marketing said that open source developers should be prepared to learn from companies like Mozilla, which has recently hired Rich Mogull as its security chief.

Even Microsoft could be help up as an example of good security practice. Rachwald said that had improved its security policies no end, "It's a company that used to be severely slammed for its security procedures but, following the 2002 Trustworthy Computing memo from Bill Gates, that's all changed. Gates simply said 'if it's a choice between functionality and security, always choose security' and the company has changed its mindset, said Rachwald.

He added that proprietary software developers tended to think far more about security issues than open source developers did -- although he conceded that this wasn't always the case.

Rachwald said that a lot of the developers' problems started with their initial training. "The problem starts with the developers themselves and in particular with their education. "They've normally majored in computer science and just haven't had the grounding in security issues."

He said that it was true that the openness of open source projects would help secure vulnerabilities. But, he said, companies should ask themselves what would they rather be "great at fixing security problems or preventing those problems from happening in the first place."

According to Fortify, there are three key ways to improve the security of open source projects: appoint a security expert, someone with a thorough understanding of security issues."The difference between you and me and a security expert,"said Rachwald, "is that you and I enter a shop and think about what we could buy, the security expert enters and thinks about what he could steal."

Second, build security processes within the software development lifecycle and third, use the correct tools to test the security procedures.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments