Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Says Open Source Software a Security Risk

Posted by CmdrTaco on from the sky-is-falling dept.

chareverie writes "Fortify Software released a study where they concluded that open source software poses a large security risk to corporations who have implemented it. They reason this by stating that the fault lies within the open source communities and their failure to adhere to minimum security practices. Fortify Software studied 11 open source software packages, where the application server Tomcat was determined to be the best. The other 10 were found to have poor results, with those being Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts. Jacob West, manager of Fortify's research group, reminds that purpose of the study was 'not to condemn open source software, but rather to point out that the security practices need to improve because open source adoption by enterprises and governments is growing.'"

30 of 86 comments (clear)

  1. ZOMG!!! by clang_jangle · · Score: 4, Interesting

    Wait, so you're saying a vendor of proprietary security software is criticizing FOSS security?!?
    Why, this is just too much, how will we ever recover? And they even based it on 11 whole OSS projects... Game over!

    --
    Caveat Utilitor
    1. Re:ZOMG!!! by moderatorrater · · Score: 5, Insightful

      Check out some of the things that they're rating it on, too. A lot of their complaints and ratings come from communication and support issues, where most open source software fails. That's why there's a service industry being built up around open source software. You'll also notice that they didn't rate any software that has a big company behind it, like RHEL or MySQL or anything like that.

      That being said, these are valid complaints, and if external support is going to be an issue with your company, then you need to think very carefully about whether open source software is right for you.

    2. Re:ZOMG!!! by snowgirl · · Score: 2, Insightful

      Yeah, I looked over most of the projects that they commented about... it's like, um... where are the big names? OpenBSD, Linux, X.org, Apache?

      Like... oh right, if they reviewed high-profile FOSS projects rather than low-band FOSS projects, they'd come out with different results...

      TRASHBIN!

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    3. Re:ZOMG!!! by betterunixthanunix · · Score: 4, Interesting

      JBOSS is a division of Red Hat, and Red Hat provides extensive JBOSS support. In fact, JBOSS running on RHEL 5 has a higher security rating than almost every other commercial software package. My guess is that the authors of the article decided to go with the community version of JBOSS, which does not have the support from Red Hat. This is somewhat typical of attempts to make open source packages look bad: talk about enterprise security, then evaluate a non-enterprise package.

      --
      Palm trees and 8
  2. What we use by Anonymous Coward · · Score: 2, Insightful

    Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts

    While we use tomcat, thankfully we don't use any of the others (in fact, I haven't even heard of several of them). As an example, we use Alfresco as our cms. If it ever caused security concerns, we could switch to a different open source cms. This would probably be quite a bit tougher if you were stuck with a single closed source package (and good luck finding out which "minimum security practices" a closed source vendor uses).

  3. I've only heard of two of those... by MostAwesomeDude · · Score: 2, Interesting

    Tomcat and OpenCMS, to be specific. And I don't use any of them.

    This might be interesting news to me if they found problems with: Apache 2, PHP 5, Wordpress, Gallery 2, or Python 2.5, which is basically what my site runs on.

    And yes, I know there's security problems with PHP and Wordpress. I'm just pointing out that they aren't targeting more popular software; wonder why?

    --
    ~ C.
    1. Re:I've only heard of two of those... by jd · · Score: 3, Insightful

      JBoss is not widely used. Struts is, Hibernate mostly is... However, the underlying problem is that these are ALL middleware packages. Is the study claiming that the middleware is faulty? Or that the apps other people write on top of that middleware has issues? If it's the apps, then the middleware is likely blameless. Even if it is the middleware, why isn't the app filtering out erronious inputs? And why is the middleware being run in a container with excessive permissions?

      This study manages to tell me one thing: This group has no idea how to perform studies. Even most FUD merchants would do a bit better job of covering the deficiencies in their methods.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    2. Re:I've only heard of two of those... by shaitand · · Score: 2, Insightful

      Or a real programmer as any good programmer doesn't particularly care what SHOULD be necessary and only concerns himself with what IS necessary here in the real world.

  4. Conflict of interest by 14erCleaner · · Score: 4, Funny

    Since Fortify is a security firm, it's obviously in their best interest to have everybody using 100% Microsoft products.

    --
    Have you read my blog lately?
    1. Re:Conflict of interest by dacut · · Score: 2, Informative

      WTF? My team uses Fortify to analyze our Java webapps (compiled on the Sun JDK and running on their JRE), which is then deployed to Linux servers running RHEL 5. HTTP connectivity for the apps is provided by Jetty; the apps themselves connect to Oracle databases (using C3P0 for connection pooling).

      With Fortify 4.0, I griped that it provided no value that we didn't already get with FindBugs (for free). The 5.0 release (along with the workbench, which provides better information than the HTML report), however, did catch a few bugs which weren't caught by FindBugs. We now run both tools in our automated Hudson builds.

      Where, exactly, are the Microsoft products in the above list?

    2. Re:Conflict of interest by smittyoneeach · · Score: 2, Funny

      Nonsense: GGP is properly spelled, employs a complete sentence, and proper punctuation. Modding it 'Funny' would be inconceivable.

      --
      Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  5. OSS is a risk compared too... by fractic · · Score: 5, Insightful

    This study doesn't show OSS is a risk at all. They forgot to compare it with proprietary software. Without such a comparison you can't tell wether OSS is worse. For all I know 10 out of 11 proprietary software packages would have issues too.

  6. in other news... by erbbysam · · Score: 4, Insightful

    closed source software a security risk

  7. In other security news.. by nategoose · · Score: 3, Insightful

    Research has shown that closed source software poses security risks.

  8. Judge for yourself by UnknowingFool · · Score: 4, Interesting
    Maybe the story wasn't reported right but here is a list of their issues with open source:
    • No easy access to security information on Web sites for security experts
    • No confidentiality of security issues vs general bugs.
    • No specific contact for security issues.
    • Lack of response from contacts
    • Don't provide the same level of service that commercial products offer.

    I'm not an expert on open source and security but I get the feeling that the authors judged open source software based on closed source standards. They author complain that disclosing security issues with general bugs was a problem. Did the author not understand that full disclosure is one of the tenets of open source? The last gripe is that the service wasn't the same with lack of contacts and responses. Judging by the summary it appears that the author just monitored the community forums. Did the authors even pay for support? When you pay for software and support, you should get it. When you don't pay for software or support, why should you deserve service?

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
    1. Re:Judge for yourself by jrumney · · Score: 4, Interesting

      Many of the projects they evaluated are Apache projects. The Apache Foundation has a private list for security bugs (security AT apache.org) so their complaints on that basis are unjustified for those projects at least. And I would be very surprised if they found security bugs in all of those projects in order to test the responsiveness of the developers, so I guess they sent some random mail that was probably justifiably discarded as spam.

  9. to explain the parent post with quotes : by unity100 · · Score: 2, Funny

    Eric S. Raymond discusses the recent Microsoft security debacle in which an engineer inserted a back door in a library that allowed access with the phrase 'Netscape engineers are weenies!' The article notes that 'Apache will *never* have a back door like this one.

    http://linuxtoday.com/stories/20234.html

    --
    Read radical news here
  10. Proprietary Software Poses a Risk to corporations by mysidia · · Score: 3, Interesting

    Closed source/propetiary software doesn't adhere 100% to industry "best" practices, such as providing a prominent link to security information on their Web site either.

    It's just not as easy to see where closed source is lacking, because, well: you don't have the source to conduct research into the security flaws.

    If the source was not public, you in many cases, would have never known that X practice wasn't being followed by certain elements of the software.

    Closed software can ignore practices whenever convenience, and since the source is closed, they are all but immune to this type of analysis.

    A true comparison requires actually obtaining the source to proprietary software and using that to its full advantage to find security flaws.

  11. Blah blah blah by Aphoxema · · Score: 3, Insightful

    Studies also conclude that lunixes is a big intellectual IP property ripoff doomed to failure, laptops will completely replace desktops in ten years, and piracy is a really big problem that's sending business after business into bankruptcy.

    It's wonderful how you can release any anecdotal evidence from a limited perspective as a marketable 'study'.

    I'm releasing a study on how interest groups posing as reputable and productive companies pass bullshit around like the flu.

    --
    "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
  12. Apples, oranges, or bananas? by betterunixthanunix · · Score: 4, Informative

    That list is a bunch of unrelated packages. Hibernate is not an application server, it is an ORM. OFBiz is an automation framework that runs on top of an application server. Hipergate is a collection of various web apps that run on an application server.

    They also forgot to have a proprietary package -- so the comparison is between open source packages. They might as well say, "Proprietary software poses a security risk. We've evaluated .NET, Matlab, and Age of Empires."

    --
    Palm trees and 8
    1. Re:Apples, oranges, or bananas? by hardburn · · Score: 3, Insightful

      No, if anything, these packages aren't unrelated enough to get a good cross section of FOSS. They're mostly web app-related thingys that are tied into Java. I haven't heard of most of them, probably because I stay strictly away from Java.

      --
      Not a typewriter
  13. WTF by imaniack · · Score: 3, Funny

    Don't they know OSS is PERFECT in every possible and imaginary way!!!! :)

    1. Re:WTF by Spy+der+Mann · · Score: 2, Funny

      Yes, Mr.Strawman, I'm sure they do.

      Hmmm... that got me thinking.

      Straw man + flamebait = ??? (think of an ultra flamable scarecrow)

  14. Where to start... by d3ik · · Score: 4, Informative

    FTFA:

    Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 open source software packages examined.

    The projects in question:
    Tomcat, Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts.

    For those who don't play in Java often:

    Derby is an embedded database.
    Tomcat, Geronimo, JBoss, Resin and JOnAS are Java (EE) app servers.
    Hipergate and OpenCMS are (you guessed it) content management systems.
    Hibernate is a persistent framework.
    Struts is a web framework.

    So of any of these, it seems that the only projects that would be open to XSS or SQL injection would be the CMS products. Unless they're referring to the web administration for the app servers?

    The only way to have SQL injection attacks in javaland is if you're not using prepared statements or if your database driver isn't preparing/escaping properly.

    So they're saying two CMS projects have tens of thousands of XSS and SQL injection vulnerabilities?

    1. Re:Where to start... by hardburn · · Score: 3, Insightful

      I wonder how they're counting. They quote says across "multiple versions". Are they giving multiple counts for a single vulnerability that exists in multiple versions?

      --
      Not a typewriter
    2. Re:Where to start... by julesh · · Score: 4, Interesting

      FTFA:

              Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 open source software packages examined.

      The projects in question:
      Tomcat, Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts.

      For those who don't play in Java often:

      Derby is an embedded database.
      Tomcat, Geronimo, JBoss, Resin and JOnAS are Java (EE) app servers.
      Hipergate and OpenCMS are (you guessed it) content management systems.
      Hibernate is a persistent framework.
      Struts is a web framework.

      So of any of these, it seems that the only projects that would be open to XSS or SQL injection would be the CMS products. Unless they're referring to the web administration for the app servers?

      The only way to have SQL injection attacks in javaland is if you're not using prepared statements or if your database driver isn't preparing/escaping properly.

      So they're saying two CMS projects have tens of thousands of XSS and SQL injection vulnerabilities?

      You're just on the edge, I suspect, of the reason they didn't get good responses from the maintainers of the code for the "vulnerabilities" they reported. That's because, in most cases, they probably weren't vulnerabilities. The authors of the report are the producers of a static analysis tool that -- you guessed it -- detects potential XSS and SQL injection vulnerabilities. Of course, it (like all such tools) has a very high false positive rate.
      In the case of code that automatically generates SQL code algorithmically (not using hard-coded prepared statements, for example) like Hibernate, or generates HTML code algorithmically (like, say, pretty much any JSP implementation or templating language), the number of false positives is going to be huge.

      Any bets they didn't bother stripping out those false positives before reporting the "vulnerabilities"?

  15. Java/Apache heavy? by VGPowerlord · · Score: 3, Insightful

    Is it just me, or is this survey extremely Java heavy?

    Not only that, but there are a good number of Apache projects in particular... Apache Tomcat, Apache Geronimo, Apache Derby, Apache Struts...

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  16. Did MS get their receipt for this study? by Dracos · · Score: 2, Insightful

    This is a weak article about a specific set of open source projects designed to keep CIO's and CTO's from jumping off the Windows turnip truck.

    FUD... it's what's for dinner.

  17. Biggest security risk of Open Source Software by fatp · · Score: 4, Interesting

    According to the article, the biggest security risk of Open Source Software is the lack of a support hotline number.

    1. Re:Biggest security risk of Open Source Software by tinkertim · · Score: 2, Insightful

      I got that impression too. Have you ever tried calling Microsoft support? By the time you actually get a qualified person to answer your question, you could have received 2 - 3 responses on a OSS project's forum or mailing list.

      Another interesting thing that I saw the study fail to mention, there are many OSS projects that clearly state on their web site "This is not yet production quality, use at your own risk" .. yet anyone selling something new would not dare to issue such a warning.

      I really feel like the study is rampant FUD that hopes to be viral so that the authors can place themselves in some sort of authoritative role.

      I'm actually a little shocked that Network World even ran the story.