I’ve been meaning to find some time to respond to a recent report by Fortify that cast some pretty negative aspersions on the security of Open Source software. Their conclusions are fairly sweeping generalizations that could be applied to just about anything :
Government and commercial organisations… should use open source applications with great caution”
absolutely true – but also true for software developed under any model with any license.
Open source projects should adopt robust security practices from their commercial counterparts.”
for some reason Fortify believes that commercial software is the benchmark for software security – though doesn’t provide any evidence of that, nor does it provide any detail what those practices are. Many commercial software companies are proprietary and closed and lack transparency – so we really don’t know if they’re better or worse. I’d also suggest that commercial / proprietary software companies can learn a lot from open source – and indeed many have.
But here’s the real issue and the irony – Fortify could not write this report for closed, proprietary products – they would not be able to include proprietary products in this report. it’s just not possible. That should be a real concern.
IMO – the recent report from Coverity offers a much more balanced view of security defects in open source
On the whole – the report was pretty positive on JBoss. Firstly, Red Hat sponsored projects did pretty well in their static analysis. As you can see from the chart – the vulnerability density for JBoss AS and Hibernate were the lowest of the projects analysed.
Since the report was published we’ve also taken action to ensure Red Hat’s secalert mail alias is more prominent in more places.
Finally – I should add – we take security pretty seriously and invest pretty heavily – we have to do this because our customers demand it. One example is that JBoss EAP 4.3 is currently undergoing Common Criteria Evaluation at EAL 2+ – that a pretty serious and long term commitment.
Update – I noticed that Fortify has a blog “… a place for place for discussion and feedback, both positive and negative” unfortunately they’ve blocked comments – so maybe not.