Fortify Software has a good PR agency. Just as the open source software (OSS) community gathers for OSCON the week of July 21 and LinuxWorld on August 4, the security-software-and-services company has released a damning report on OSS security. It's a slow news period so all the online (and I assume printed) publications lead with the news. The firestorm on the blogosphere is predictable. Every story and posting mentions Fortify. As I said, Fortify has a good PR agency.
It's hard to argue against the methods that Fortify recommends open source communities adopt. Patrick Lightbody explained some similar solutions in his article here on ebizQ in September 2007. We will talk about them as well in our August 20, 2008 OSS Roundtable, with Jim Zemlin of the Linux Foundation, Ross Altman of Sun, and Dominic Sartorio of the Open Solutions Alliance.
But the survey paints OSS with an awful broad brush based on a few projects out of tens of thousands. Thinking of Jim, Ross and Dominic led me to ask myself (and Fortify--answer to follow if provided) why the projects tested were picked and why some of the more popular projects--embodied in the term, the LAMP stack--were not. The Fortify document says the reason is that the projects selected were implemented in Java and Java is the most popular enterprise-level development language.
So maybe this is really a study about Java security issues. But JavaOne happened in June. Like I said, Fortify has a good PR agency.
Fortify provided the following comment to my question in the blog post above:
Fortify believes that the biggest change in the adoption of open source within the enterprise today is the use open source components and software that are seamlessly integrated into enterprise systems. Based on feedback from our customer base, we focused our study on open source projects that are often less visible (e.g. Hibernate, Struts, etc that enterprise systems are built on top of) or that are often tied to these technologies (Tomcat, JBoss, etc). In our opinion, it’s very unlikely that an organization, and IT professionals in particular, would select to use Linux or Apache HTTP without considering the security tradeoffs against closed source alternatives like Windows and IIS. In contrast, we feel that open source components like Hibernate and Struts are often adopted with little consideration for the security impact of the selection.