About us Contact us RSS Newsletters Blogs Video Follow us on Twitter

Register | Login

Advertisement
  • Networking
  • Storage
  • Security
  • Mobility and Wireless
  • Applications
  • OS and Servers
  • Mid-sized Business
  • Green IT
  • Virtualisation

Home | News | Insight | How-tos | Case studies | Interviews | Briefings | Reviews | Blog

Computer & Internet Security News



22 July 2008

Open source could learn from Microsoft

By Maxwell Cooter, Techworld

Companies who opt for an open source software within their organisations could be leaving themselves open to security breaches.

Advertisement

That's according to software company Fortify which has researched the implementation of several open source projects and found them lacking, with one executive suggesting that they could learn from Microsoft in how to improve security.

The research completed by security consultant Larry Suto, examined 11 of the most common Java open source packages. Fortify worked with open source maintainers and examined documented open source security practices to evaluate the level of security. The results were disappointing: the Fortify study found that many Open Source Software (OSS) development communities have not yet adopted a secure development process and often leave dangerous vulnerabilities unaddressed.

Rob Rachwald, Fortify's director of product marketing said that open source developers should be prepared to learn from companies like Mozilla, which has recently hired Rich Mogull as its security chief.

Even Microsoft could be help up as an example of good security practice. Rachwald said that had improved its security policies no end, “It's a company that used to be severely slammed for its security procedures but, following the 2002 Trustworthy Computing memofrom Bill Gates, that's all changed. Gates simply said 'if it's a choice between functionality and security, always choose security' and the company has changed its mindset, said Rachwald.

He added that proprietary software developers tended to think far more about security issues than open source developers did – although he conceded that this wasn't always the case.

Advertisement

Rachwald said that a lot of the developers' problems started with their initial training. “The problem starts with the developers themselves and in particular with their education. “They've normally majored in computer science and just haven't had the grounding in security issues.”

He said that it was true that the openness of open source projects would help secure vulnerabilities. But, he said, companies should ask themselves what would they rather be “great at fixing security problems or preventing those problems from happening in the first place.”

According to Fortify, there are three key ways to improve the security of open source projects: first, appoint a security expert, someone with a thorough understanding of security issues. ”The difference between you and me and a security expert,”said Rachwald, “is that you and I enter a shop and think about what we could buy, the security expert enters and thinks about what he could steal.”

Second, build security processes within the software development lifecycle and third, use the correct tools to test the security procedures.

Follow highlights from Techworld on Twitter
Stay Informed > Subscribe to our Newsletters
The UK IT News widget Get it for your site!

<<newer article | back to index | older article>>

close

Email this article to a friend or colleague:




PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

close
  • This article is now being printed.
close

What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.


Characters remaining:

close

Click below to add 'Open source could learn from Microsoft' to your blog.



If you do not have a ComputerworldUK Account and would like to use this feature, please Register.

If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.

What is this?

Comments received


bad spell said on Tuesday, 22 July 2008

Ever heard of spell check? "open source softwar ", "Even Microsof could"

The Pedant said on Tuesday, 22 July 2008

No, but I've heard of a spelling check... Have you ever heard of a grammar check? LOL!

Advertisement
Advertisement

WHITE PAPERS

  • Seven Ways ITIL Can Help You in an Economic Downturn
    Learn more about how ITIL can help your business weather the economic storm, and how it can leave you better positioned for growth when the economy begins to rebound.
  • Make Compliance Work For You
    Learn how to make compliance work for you, rather than the other way around, with this whitepaper form Oracle.
  • Modernizing IT: Strategies for Improving Service Quality and Reducing IT Costs
    Working harder simply won’t get you there. No matter how many people you allocate, sinking more labour into old IT practices cannot concurrently meet rising demands on IT and cut costs. Read about cost-effective, automated ways to meet this challenge head-on in this whitepaper.
  • Security and Trust: The Backbone of Doing Business over the Internet
    When shopping online, consumers are concerned about identity theft and are therefore wary of providing untrusted sources with their personal information, especially their credit card details. Find out how to gain the trust of online customers.
  • Business Continuity - Are you always open for business?
    Business continuity is not an end in itself, but the key to improving performance. Oracle solutions for midsize organisations contribute by providing a secure, easily accessible, and always available information infrastructure thats's also simple and cost-effective to manage. This Oracle Business Brief explains how.

Techworld topic pages