According to the study and research done, some of open source software is a significant security risk for many corporations that use it as open source community fails to cling to minimal security best practices. This study has been carried out by Fortify software with the help from its consultant Larry Suto, whom determined 11 open source software packages and each community’s response to security issues over that course of time. The main aim was to discover that if the community for each open source software package was reactive to security questions or any vulnerability findings.

“You don’t want to report bugs to a general mailing list because it would go to the general public,” says Jacob West, manager of Fortify’s security research group. There needs to be an evaluation of confidentiality in reporting bugs so that the fix for them can be rendered when the public is notified, so that attackers don’t get prior information that they can exploit.

Often, open source communities, which proffer their software for free don’t looks to be as mindful about security strategies as their commercial counterparts charge for software and support provided by them. Fortify software determined a total of 2,826 cross-site scripting and 15,612 SQL injection issues linked up with multiple versions of the 11 open source software packages evaluated. But, when it try to reach out to open source communities with the primary information of contacting a Web site and a general e-mail address, the security firm found that “in two-thirds of these cases, you didn’t get a response at all. There are no phone numbers. It’s really hard to tell who these people are.

Open source packages often arrogate enterprise-class abilities but are not following industry best practices. Only a few open source development teams are moving in the right direction. Fortify conduct this study to figure out security practices needs to improvise as open source adoption by governments and enterprises have been growing.

The fathom is that corporations may have to find remediation of open source packages on their own. Government agencies and corporations need to decide if they’re going to try to mitigate problems with open source software themselves, through risk assessment and code review, and whether they plan to give that information back to the open source community.

Author: Swati Bansal