Domain: fortify.com
Stories and comments across the archive that link to fortify.com.
Comments · 10
-
Re:Hmmmm....
Of course in this particular case, regardless of which package is more secure, after the Bush years, the US is still looked down upon. So reverse psychology perhaps, a US company telling the UK government what to do, will do more damage that good to the M$ cause in the current political climate.
As for the survey and report, "examined 11 of the most common Java open source packages" http://www.fortify.com/news-events/releases/2008/2008-07-21.jsp, so, a whole lot of bullshit going on there, because the techworld article kind of failed to mention that, and for a very profitable pro M$ reasons, I would guess. So it has nothing to do with Linux, Open Office etc. etc. etc. So, by the way, what exactly are the twelve most common (what does that world all of a sudden bring to mind conmen) java packages.
-
Astroturf ?
I have to wonder if this is an Astroturf attack.
First, go back to the original research article. It is interesting, but it includes one open source project, Hipergate 3.0.26, which has 100 times the issues of all the other projects considered, and which skews the statistics. Note, too, that they also consider Hipergate 3.25, which has very few issues. I am not familiar with Hipergate, and it is not clear to me if these are separate products, or if version 3.0.26 is just a very buggy beta version, or even if 3.0.26 comes before or after 3.25. Poking around Sourceforge doesn't find either of these versions; the version there is up to 4.0.3.
The report itself makes the point that OSS should do better, and that it could do better. Fair enough. But what of the bigger implications ? What should be done, except maybe avoiding Hipergate 3.0.26 ?
Of course, saying that the UK should not use Hipergate 3.0.26 is unlikely to make the news. To conclude that the UK government should not use OSS, however, I would want to see a comparison of OSS software and proprietary software on similar points. (Some proprietary software companies make it easy to post security issues, others do not, for example. Is that better or worse in practice than OSS ?)
I don't see that sort of analysis here, and that makes me suspect astroturfing. (Again, I am not saying this for the original research report, but for the announcement about the UK Conservative Party.)
The thing that makes me especially suspicious is that one would normally expect a company like Fortify to say something like, here is a opportunity to really improve OSS, the Conservative Party should announce a major software security initiative to go along with their OSS initiative and, by the way, we at Fortify have a number of products and services that would really help with that initiative.
Just to say that it is a bad idea seems to be against their self-interest, and whenever companies act against their apparent self-interest I start to wonder what's going on.
-
Re:The British like Americans seem to be incompete
We can also look here http://www.fortify.com/partners/technologyPartners.jsp and note that Microsoft is one of their partners.
-
The study TFA draws conclusions from
TFA references a study by Fortify Software that is the basis for the statements against OSS. Here's the link to the study. http://www.fortify.com/l/oss/assets/OpenSource_Security_WP_v5.pdf
-
See to believe....
A link to the company's study: http://www.fortify.com/servlet/download/user/OpenSource_Security_WP_V5.pdf
While they raise a couple interesting points, my first impression is that they broadly generalize from a small sample set. Specifically, they only look at about 10 Java projects (including Tomcat, Hibernate, and JBoss), and proceed to conclude that the open source community is unresponsive to security threats. Conspicuously absent are any Linux distributions (let alone any *BSD... they have obviously never heard of OpenBSD), OpenOffice, or any tools likely to make it into desktop use for the UK government.
Oh, and the solution to all this apparently is to rely on their company's security auditing services to make sure that your company doesn't have "hidden security holes".... Riiiight.... -
Re:The British like Americans seem to be incompete
We should collect statistics here and convince these Britons that OSS is still the best model around.
Yeah, maybe we look here https://opensource.fortify.com/ They scanned 103 projects with a total of 24668646 loc and found a total of 403 error which makes for 1 error in 61212 loc or 4 errors per projects. Not too bad I'd say. Oh, btw of those 403 errors found 383 are already fixed.
-
ZOMG!!!
Wait, so you're saying a vendor of proprietary security software is criticizing FOSS security?!?
Why, this is just too much, how will we ever recover? And they even based it on 11 whole OSS projects... Game over! -
Re:Yes
I disagree. Fortify and Ounce both spend a lot of effort on developer remediation; for example Fortify displays in the IDE a detailed article about the issue found, how developers fall into the trap, exploit examples and how to safely remediate the code. Truncated example of this sort of information here: http://www.fortify.com/vulncat
It's true that security analysts are the ones best suited to triaging away the false positives. -
Yes
-
Crypto Restrictions
hmm.. instead of hosting the strong crypto-containing code onsite (like 128 bit netscape), why not utilize Fortify instead? Admitted, this has its own problems (not being in direct control over the foreign boxen, etc) but the idea is sound.. I'm not sure about the licensing behind their crypto-using software (besides SSH and netscape) such as kerberos... Regardless, I see this as a leap in the positive direction for umich. I hope they set up some public (for students) labs using this distro as well.