Fortify Software Cautions Government to Consider Security of Open Source

Lora Bentley

At the same time that a group of open source software vendors and supporters are working to convince the Obama administration to consider open source software solutions, Fortify Software is cautioning the government against adopting such solutions without first ensuring the appropriate security measures are in place.


In a recent press release regarding the open letter to Obama, Fortify CTO Roger Thornton said:

Governments and open source proponents need to understand that security is not a birthright. It does not come 'for free' because of the way you license your product. If security objectives are not clear and secure development methodologies are not in place, it's a pretty safe bet that security problems will result-whether open source or commercial software.

He points out that the money saved in using open source could be quickly "diminished" by the costs of hardening code and/or responding to resulting litigation if security issues are not considered from the outset.


Of course, Fortify's cautionary tale is as self-serving as the plea for open source coming from the open source vendors. Fortify is in the security software business, so it only stands to benefit if the Obama administration heeds its call.

Add Comment      Leave a comment on this blog post
Mar 6, 2009 4:27 AM Kenneth Gonzalez Kenneth Gonzalez  says:

Sure. The vendor may have a proprietary interest, but in this case, I say that we should give them the benefit of the doubt. In many cases, vendors have important perspectives to contribute when examining a given issue.

Where the problems come in is when it goes something like this -- "I've identified that you have 'x' as a problem and my new software/service/hardware 'BigWidget' will solve this problem and potentially many more". That's the real problem. Products are not substitutes for thinking and appropriate action.

When it comes to security and open source, I think due caution is appropriate. Too many developers have no concept of what secure development is all about.

Additionally, while on the topic of open source, I've had many clients tell me the equivalent of "if it's for free, it's for me!". The thinking being that something that's "free" (or doesn't result in an expense for license) is easy to justify.

While it may be easy to justify, I think that's a pretty narrow view of things. Just becuase it doesn't cost you anything up front (like license fees or royalties) doesn't mean that there are no costs. That's absolutely insane. Anything you install into your environment ultimately has a cost (and consequences).

Don't get me wrong, I work for a commercial software vendor and I love open source! I just think we need to get real about what things really cost and the impacts of the decisions we make when depoying new stuff.



Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.