Does open source pose a security risk?

The security practices of open-source IT developers should lead enterprises to think twice before using open-source software, according to a new study.

The study, carried out by application security consultant Larry Suto and sponsored by security tools vendor Fortify, found that a lack of security processes led to a constant or increasing number of security issues in successive open-source releases.

As a result, government and commercial organisations should approach open-source applications with "great caution", carrying out risk analysis and code review before it is used, Fortify said.

The company argued that open-source development simply does not live up to enterprise security standards. Fortify quoted Jennifer Bayuk, an independent security consultant, as saying that open source implies a "hidden cost" due to the necessity of testing for security bugs.

The study is likely to reopen the debate around the relative security of proprietary and open-source software.

Latest photo stories from silicon.com

Photos: Waging war on the web's bad guys

Photos: How to destroy your hard drive

Photos: It's virtual everything in Cisco's future

Photos: Inside a supercomputer lab

Photos: A peek at the future of telemedicine

Photos: 60 years of NHS tech

Independent software vendors (ISVs) selling proprietary software have claimed the open-source development process exposes open-source software to greater security risks, while open-source developers argue that the openness of the process allows for more security flaws to be caught.

The study examined software for developing and serving Java applications, including Geronimo, JBoss, Struts and Tomcat. It found that all or nearly all of the projects examined failed to provide access to an internal security expert, reduce the number of security flaws in successive releases or make use of bug-catching tools such as FindBugs or Fortify's own Java Open Review.

As a result, bugs such as SQL injection and cross-site scripting continue to proliferate, Fortify said.

The study said: "Open-source packages often claim enterprise-class capabilities but are not adopting - or even considering - industry best-security practices. Serious security threats stemming from numerous application vulnerabilities are a direct result of poor or non-existent security processes."

One exception is Mozilla, which in July announced a security initiative and hired security consultant Rich Mogul as an adviser. But more projects need to follow Mozilla's lead or, better yet, follow the lead of proprietary ISVs in improving security practices, Fortify said.

The report said: "Open-source development can benefit from private industry practices - notably those created by financial services organisations and larger independent software vendors."

A May study funded by the US Department of Homeland Security praised improvements in open-source security. A recent survey found that unsupported open source software was one of the top causes of security breaches.

Original article: Open source 'lacks enterprise-grade security' from ZDNet UK