Businesses Warned: Open-Source Risky

A security firm has warned businesses that using open-source software could put them at risk. A new study carried out by security consultant Larry Suto for Fortify claims people developing open-source software simply don't meet the security standards that would be expected of commercial software companies.

Open-source software involves the source code behind the software being publicly available. In most cases there is no charge to use, distribute or modify the software. Indeed, many developers and enthusiasts will share ways to improve the software or adapt it for different tasks. The best known open-source software is the Linux operating system, though there are also plenty of programs published as open-source. Supporters say such software is a cheaper (and sometimes free) alternative to products from name brand companies like Microsoft.

In a statement, Suto and Fortify had this to say about open-source:

"Serious security threats stemming from numerous application vulnerabilities are a direct result of poor or non-existent security processes." (Source: networkworld.com)

The study criticises open-source groups for failing to use in-house security experts, not taking care of security flaws when they release updated editions, and not using tools designed to track down security-related bugs. (There is some self-interest here as Fortify manufacturers such tools.)

The report did highlight Mozilla as an example of good practice. The firm, which makes the Firefox Internet browser, recently hired a security consultant.

According to Fortify, the report shouldn't mean open-source software becomes a no-no. Instead, companies using it should budget for spending time and money to assess the software they are planning to use and make sure there are no security risks. (Source: linuxinsider.com)

The biggest problem appears to be the downside of one of open-source's major benefits: the co-operation between many different developers. While this can make software more creative or efficient, it means there's no formal security-vetting process found with commercial development.