Why open source fails application security tests

[Administrator]

Our friends at Zero Day gave Fortify CTO Roger Thornton the floor today, to answer critics of his recent study on open source application security.

It’s a good piece.

One point which really struck home concerned how we test open source code. We test it to see if it works. Security testing works to see if it can be broken.

The distinction is important. Security doesn’t test for bugs, but features that can be exploited.

This makes security hard to build into an open sourceÂ*business model. It’s one of those costs, like insurance, which go into the category of overhead. And open source is all about getting rid of overhead.

The answer isÂ*security must first become a business imperative, an early difference between a “community” edition of a package and a “paid” version for which businesses must pay support fees.

This, in turn, tells me where the pressure for change in open source security need to come from, big customers.

Scary headlines like “open source insecure” create heat, but “we the undersigned demand security testing or we rip it out” are needed to turn on the lights.

My hope is customers go about this responsibly, and Fortify can help, perhaps offering deals with large users, working through user groups, to get the job done. And by cooperating in this with other security vendors in the way open source works other problems.

In other words Thornton has knocked down the door and gotten our attention. Now he needs to work cooperatively with the community — including other security vendors — to get it back on its hinges.

[details]