|
Fortify Software Inc.: Rising Enterprise Adoption of Open Source
Software is Putting Businesses At Greater Risk; New data from Fortify
Software finds that widely-used open source software packages do not
employ best practices for securing code
(M2 PressWIRE Via Acquire Media NewsEdge)
RDATE:21072008
London, UK -- Fortify Software Inc., the market leader in enterprise
application security solutions for business software assurance,
released today its Open Source Security Study which reveals that the
most widely-used open source software packages for the enterprise are
exposing users to significant and unnecessary business risk. The study
validates that Open Source Software (OSS) development communities have
yet to adopt a secure development process and often leave dangerous
vulnerabilities unaddressed. Additionally, the study found that nearly
all OSScommunities fail to provide users access to security expertise
to help remediate these vulnerabilities and security risks.
"Open source software can be another valuable option in today's
corporate enterprises, but, just as with commercial software,
vulnerabilities in software should be a point of concern for CIOs who
depend on open source software to run their business," said Howard A.
Schmidt, former cyber security advisor to the White House. "This is an
endemic issue that starts in the open source community, and while open
source software faces the same vulnerabilities as commercial or
in-house developed software, the mechanisms to test and analyze
software code need to be done with great rigor in open source
communities to influence a secure development process." The survey,
sponsored by Fortify Software and completed by leading application
security consultant Larry Suto, examined 11 of the most common Java
open source packages.In order to evaluate the security expertise
offered to users and to measure the secure development processes in
place in OSScommunities, Fortify interacted with open source
maintainers and examined documented open source security practices.
Additionally, multiple versions of each package were downloaded and
scanned for vulnerabilities using Fortify SCA (the static analyzer
found in Fortify's security suite, Fortify 360). Manual scanning was
also executed on security-sensitive areas of code.
Increased enterprise adoption of open source is evidenced by reports
from a number of leading analyst firms, including Gartner, which
recently reported that by 2011, 80% of commercial software will include
elements of open source technology (Gartner, The State of Open
Source2008,"April 2008). Additionally, an April 2008 survey from CIO
reported that more than half of its respondents are using open source
applications in their organizations today[1]. A recent report from
Forrester Research noted that for over 88% of respondents, security of
open source software was an important concern (Source:Forrester
Research:Enterpriseand SMB Software Survey, 2007)
Although enterprise adoption of OSShas steadily increased, little has
been done within the OSScommunity to implement enterprise-worthy
application security measures. As a result of the survey, Fortify
recommends that enterprises should follow the example of financial
services companies in applying risk and coding analysis techniques to
their open source software.In addition, enterprises should:
- Raise security awareness within open source development communities
and emphasize the importance of preventing vulnerabilities
upstream.Enterprisesecurity teams should articulate their security
requirements to open source maintainers to accelerate the adoption of
secure development lifecycles.
- Perform assessments to understand where their open source deployments
and components stand from a security standpoint.
- Remediate vulnerabilities internally or leverage Fortify's Java Open
Review which provides audited versions of several open source packages.
"Most open source communities do not follow enterprise-level change
control standards," says Jennifer Bayuk, independent security
consultant and former CISO of Bear Stearns. "There is a hidden cost for
the enterprise in using open source because they have to test and patch
for security bugs they don't anticipate."
"Today's enterprises are built and operated by software that comes from
a variety of sources," commented Roger Thornton, founder and CTO of
Fortify Software."The software could be developed in-house, purchased
off-the-shelf, outsourced, or as we're seeing more often, based on open
source. In order to mitigate the business risk created by insecure
applications, it is imperative that companies adopt a process that
allows them to assess, remediate and prevent security vulnerabilities
in all of their business software, whatever the source."
To access a copy of the survey results, please visit
http://www.fortify.com/l/oss/oss_report.html.For more information on
Fortify's open source initiative, Java Open Review, visit
http://opensource.fortify.com.
Visit https://www1.gotomeeting.com/register/929272775 to register for
the webinar, "A CISO's Guide to Securing Open Source Software."
About Fortify Software, Inc.
Fortify 's Business Software Assurance products and services protect
companies from the threats posed by security flaws in business-critical
software applications. Its software security suite-Fortify 360-drives
down costs and security risks by automating key processes of developing
and deploying secure applications. Fortify Software's customers include
government agencies and FORTUNE 500 companies in a wide variety of
industries, such as financial services, healthcare, e-commerce,
telecommunications, publishing, insurance, systems integration and
information management. The company is backed by world-class teams of
software security experts and partners.
CONTACT: Darshna Kamani, Press Contact, Eskenzi PR Ltd
Tel: +44 (0)207 183 2834
e-mail: Darshna@eskenzipr.com
Fortify Software, Inc
WWW: http://www.fortify.com
((M2 Communications Ltd disclaims all liability for information
provided within M2 PressWIRE. Data supplied by named party/parties.
Further information on M2 PressWIRE can be obtained at
http://www.presswire.net on the world wide web. Inquiries to
info@m2.com)).
Copyright ? 2008 M2 Communications Ltd.
[ Back To IVR Community's Homepage ]
|
INDUSTRIES
Activate Email 
