Open season

Companies deploying non-proprietary software should take precautions against its insecure nature

Rob Rachwald: Firms considering open-source software must evaluate open-source security

It is ironic: the versatile software that you depend on to run your business also puts it at risk. Open-source development in
particular introduces risk to your business.

A Fortify-sponsored study by application security consultant Larry Suto in July examined 11 of the most common Java open-source packages and found that open-source software development communities have yet to adopt a secure development process.

Fortify sees thousands of development teams ­ mostly within IT organisations for financial and other highly regulated
industries ­ that have a sophisticated process in place for application security.

To mitigate the risk created by insecure applications, firms can adopt a process that allows them to assess and prevent security vulnerabilities in all their business software, whatever the source.

Developers and security experts should be working together to build secure software right from the start. Fortify is talking with open-source providers to improve processes and invites any open-source group wishing to get involved and make security a part of the development process to get in touch.

Organisations using open source should do so carefully. Open-source code should be reviewed and analysed for risk if running in business-critical applications. The process should be repeated before new versions of open-source components are adopted.

Firms considering open-source software must evaluate open-source security. We recommend enterprises raise security awareness within open-source development communities and emphasise the prevention of vulnerabilities upstream.

Enterprise security teams should articulate their security requirements to open-source maintainers to accelerate the adoption of secure development lifecycles.

Open-source development can benefit from private industry practices ­ notably, those created by financial services
organisations and larger ISVs. Open-source communities can then advertise and substantiate effective security practices that blend process and technology. For example, a security expert should be appointed and given power to veto releases.

Security can be built in by mandating processes that integrate security proactively, throughout the development lifecycle. This should include relevant non-coding activities, such as threat modelling and the development of abuse cases; and should perform static analysis in development and dynamic analysis during security testing in quality assurance.

With open source, flaws can be fed back into the machine, but it will never be as good as building it securely in the first place.

Rob Rachwald is director of product marketing at Fortify Software.