Is Open Source Security Slipping?


One of the selling points of open source software is that having so many eyes combing through the code makes it more secure than its proprietary cousins. That claim took a hit this week, as Fortify's Softare released a study that claims widely used open source packages have significant vulnerabilities.


The survey, which was conducted on Fortify's behalf by Larry Suto, looked at 11 common Java-based packages. The release describes the process Suto used, which included interaction with open source maintainers, perusal of documentation and manuals, and automated scanning of multiple versions of each package. Fortify gear was used for the automated scanning. The release concludes with several recommendations.


This is a complex story at MIT Technology Review that traces a mistake a couple of years ago by programmers designing the OpenSSL library. The mistake reduces the number of encryption keys possible from an astronomically high number to 32,767 -- child's play to a savvy hacker.


The problem endangers encryption processes on four or more open source operating systems, 25 applications, and millions of computer systems spread over the Internet. The problem is invisible to users unless they take the time to find it. Besides the seriousness of the problem itself, the writer says that the fact that this could happen raises questions about the general security of open source and, perhaps, of all software.


Other problems are emerging. The open source Spring Framework, which describes itself as "a full-stack Java/JEE application framework," has been found to hold at least two vulnerabilities. This blogger asks how this could have happened in such a commonly used tool, considering open source's "strong community vetting" -- such as that available for the Apache service. He further asks if the increase in single-vendor open source products may be behind any slippage.


Fortify is not the first organization to address the open source security issues. At Forrester's IT Forum EMEA 2008 conference in Amsterdam in April, the firm discussed a new report on the state of open source in Europe and North America. The report said that 45 percent of European software decision-makers and 71 percent of North American decision-makers self-report being concerned about security.