Fortify says: U.S. government needs software-security assurance processes for open source

By Manufacturing Business Technology Staff February 19, 2009

President Obama’s Administration is being encouraged to embrace open source software, copying a similar U.K. government game plan. However, the Administration needs to insist that secure development processes are in place for open source projects, says Fortify Software , a specialist in security assurance solutions.In a letter to President Obama, a group of 15 open source advocates are suggesting that the U.S. government adopt open source applications in preference to commercial programs, a process they claim will save the government a lot of money.Notes Fortify CEO Roger Thornton, “Governments and open source proponents need to understand that security is not a birthright. It does not come ‘for free’ because of the way you license your product. If security objectives are not clear and secure development methodologies are not in place, it’s a pretty safe bet that security problems will result, whether open source or commercial software.”According to Thornton, the net result of the potential security flaws that can arise from open source means that the direct cost savings of using such programs as an alternative to commercial software can be significantly outweighed by the indirect costs.By indirect costs, he means the cost of remediation and hardening the code concerned, as well as the potential costs of litigation that can result when things go badly awry and rogue code causes problems.Says Thorne, “We have experience with hundreds of development organizations establishing, and in many cases, defining, engineering processes that assure application security. These organizations have put in place security controls for open source because of poor security practices.”The Spanish government, for example, has been actively encouraged to adopt Hipergate , an open source Web-based application suite that runs on multiple databases and operating systems.The argument Hipergate makes to the Spanish government (in Spanish) is presented here. “Our manual and automated review of Hipergate highlights what a lack of security process means,” says Thorne. “Hipergate lacks a security expert and doesn’t even have a security email alias. Hipergate has about 16 vulnerabilities per 1000 lines of code—which is outrageously high. Hipergate should not be used by anyone. Because of this, we urge President Obama’s Administration to thoroughly research the possibilities offered by open source, but also consider the ramifications of using this technology.”Learn more here about Obama’s open source lobbyists.