Fortify says: U.S. government needs software-security assurance processes for open source

02/18/2009


President Obama's Administration is being encouraged to embrace open source software, copying a similar U.K. government game plan. However, the Administration needs to insist that secure development processes are in place for open source projects, says Fortify Software , a specialist in security assurance solutions.
In a letter to President Obama, a group of 15 open source advocates are suggesting that the U.S. government adopt open source applications in preference to commercial programs, a process they claim will save the government a lot of money.
Notes Fortify CEO Roger Thornton, “Governments and open source proponents need to understand that security is not a birthright. It does not come 'for free' because of the way you license your product. If security objectives are not clear and secure development methodologies are not in place, it’s a pretty safe bet that security problems will result, whether open source or commercial software.”
According to Thornton, the net result of the potential security flaws that can arise from open source means that the direct cost savings of using such programs as an alternative to commercial software can be significantly outweighed by the indirect costs.
By indirect costs, he means the cost of remediation and hardening the code concerned, as well as the potential costs of litigation that can result when things go badly awry and rogue code causes problems.
Says Thorne, “We have experience with hundreds of development organizations establishing, and in many cases, defining, engineering processes that assure application security. These organizations have put in place security controls for open source because of poor security practices.”
The Spanish government, for example, has been actively encouraged to adopt Hipergate , an open source Web-based application suite that runs on multiple databases and operating systems.
The argument Hipergate makes to the Spanish government (in Spanish) is presented here.
"Our manual and automated review of Hipergate highlights what a lack of security process means,” says Thorne. “Hipergate lacks a security expert and doesn’t even have a security email alias. Hipergate has about 16 vulnerabilities per 1000 lines of code—which is outrageously high. Hipergate should not be used by anyone. Because of this, we urge President Obama's Administration to thoroughly research the possibilities offered by open source, but also consider the ramifications of using this technology.”
Learn more here about Obama's open source lobbyists.





No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Sensor-to-cloud interoperability; PID and digital control efficiency; Alarm management system design; Automotive industry advances
Make Big Data and Industrial Internet of Things work for you, 2017 Engineers' Choice Finalists, Avoid control design pitfalls, Managing IIoT processes
Engineering Leaders Under 40; System integration improving packaging operation; Process sensing; PID velocity; Cybersecurity and functional safety
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Flexible offshore fire protection; Big Data's impact on operations; Bridging the skills gap; Identifying security risks
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
click me