Open source is inherently no more risky than commercial software

(11/12/2007)

Open-source software is very attractive for companies looking to expand their services or quickly get new offerings to market, in part because it's free. Unfortunately, some companies tend to overlook the software license commonly attached to open-source software, the GPL. Verizon is the latest company to do so, and its use of an OSS package in a wireless router has led to a copyright infringement lawsuit from the Software Freedom Law Center.

The popularity of open source software has created an environment in which engineers often embed a wide range of open source and third party components inside enterprise applications outside of the normal software procurement process. This ad-hoc and often undocumented supply chain makes it difficult for application security teams to maintain an accurate code inventory that allows them to proactively monitor open source projects for applicable security alerts and patch updates.

Palamida™ has announced the expansion of its Vulnerability Reporting Solution detection capabilities to include 431 open source security alerts - 148 of which are considered to have High-Severity Common Vulnerability and Exposures (CVEs) ranging from cross-site scripting and buffer overflows, to SQL injections. In addition, the company has also published the Top 5 Most Overlooked Open Source Security Vulnerabilities found in enterprise audits during 2007 - derived from an analysis of over 300 million lines of code across multiple verticals that include financial services, technology and government.

“Open source is inherently no more risky than commercial software,” said Mark Tolliver, CEO of Palamida. “The majority of open source projects provide a patched version to any issue within hours of discovery. Users of open source, however, need a way to quickly and accurately verify what components they are using and associate them with known vulnerabilities so they can retrieve updated versions. Without a mechanism in place to perform this function, organisations put themselves at risk for introducing security vulnerabilities into their code base.”

The vulnerability library, the cornerstone of the Palamida Vulnerability Reporting Solution (VRS), is a database that contains signatures enabling unique detection of almost 2 million open source files with reported vulnerabilities. The library contains 431 reported vulnerabilities associated with the most common open source projects Palamida finds embedded inside enterprise applications. The VRS is detection and reporting software that discovers and identifies all unknown open source code inside internally developed enterprise applications, providing an immediate report on their existing vulnerabilities.

It allows users to further develop their security policies for open source use such as:
· Identification of all open source in the code base;
· Pinpointing its exact location within the code base;
· Measuring third-party code dependence;
· And tracking associated vulnerabilities.
The end result is a complete blueprint of all open source used across the enterprise code base.

For year-end 2007, Palamida has listed the Top 5 Open Source Vulnerabilities encountered in its audit practice during 2007. The vulnerabilities are associated with the open source projects Apache Geronimo, JBoss Application Server, LibTiff, Net-SNMP and Zlib.

Related topics:  Application and software security 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources