Menu
Open source could learn from Microsoft

Open source could learn from Microsoft

Companies who opt for an open source software within their organizations could be leaving themselves open to security breaches.

That's according to software company Fortify which has researched the implementation of several open source projects and found them lacking, with one executive suggesting that they could learn from Microsoft in how to improve security.

The research completed by security consultant Larry Suto, examined 11 of the most common Java open source packages. Fortify worked with open source maintainers and examined documented open source security practices to evaluate the level of security. The results were disappointing: the Fortify study found that many Open Source Software (OSS) development communities have not yet adopted a secure development process and often leave dangerous vulnerabilities unaddressed

Rob Rachwald, Fortify's director of product marketing said that open source developers should be prepared to learn from companies like Mozilla, which has recently hired Rich Mogull as its security chief.

Even Microsoft could be help up as an example of good security practice. Rachwald said that had improved its security policies no end, "It's a company that used to be severely slammed for its security procedures but, following the 2002 Trustworthy Computing memo from Bill Gates, that's all changed. Gates simply said 'if it's a choice between functionality and security, always choose security' and the company has changed its mindset, said Rachwald.

He added that proprietary software developers tended to think far more about security issues than open source developers did -- although he conceded that this wasn't always the case.

Rachwald said that a lot of the developers' problems started with their initial training. "The problem starts with the developers themselves and in particular with their education. "They've normally majored in computer science and just haven't had the grounding in security issues."

He said that it was true that the openness of open source projects would help secure vulnerabilities. But, he said, companies should ask themselves what would they rather be "great at fixing security problems or preventing those problems from happening in the first place."

According to Fortify, there are three key ways to improve the security of open source projects: appoint a security expert, someone with a thorough understanding of security issues."The difference between you and me and a security expert,"said Rachwald, "is that you and I enter a shop and think about what we could buy, the security expert enters and thinks about what he could steal."

Second, build security processes within the software development lifecycle and third, use the correct tools to test the security procedures.


Follow Us

Join the newsletter!

Error: Please check your email address.

Featured

Slideshows

Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
Show Comments