I’ve been receiving a lot of email in the past day or so following the publication of an open source security study, conducted by Larry Suto and sponsored by Fortify, which suggests that open source development projects are not following security best practices. The study was limited to eleven open source projects which did not include Actian. If you weren’t already aware of it, Fortify sells the tools they believe that open source projects should be using to identify and repair vulnerabilities in their code as part of their standard development procedures. The study also recommends that open source adopters should employ these tools before deploying open source solutions in their environment. Should security tools vendors be discouraged from using scare tactics to promote their products and services? I guess not if the threat is real, but when reading vendor sponsored studies one needs to consider the source.
We at Actian are familiar with Fortify because we evaluated the toolset as part of the process of selecting a code-scanning tool for Actian. While we were impressed by the product and the team behind it, we chose a competitor that better suited our specific needs. Addressing the issues uncovered by code-scanning tools not only leads to a more secure product, but will also improve product reliability by identifying the potential for buffer overflows, references to memory that had previously been freed, and so on.
Proprietary code-scanning tools are expensive, which may be why they are not part of the standard development methodology for all open source projects. But Fortify, to their credit, has made their static analysis suite available to open source projects through their Fortify Open Review project. There are open source projects like findbugs that I’d encourage you to investigate also.
I was delighted to see a list of “defect-free” open source projects listed on the Fortify Open Review site. It was interesting also to see that the number of defects, per thousand lines of code, in open source projects that have been participating in the Fortify Open Review Project is significantly lower than one would expect in closed source products and it was disappointing that this wasn’t mentioned in the report. Rather than embroiling myself in an open source vs. closed source controversy here, I’ll point you to a study conducted by Carnegie Mellon University.
The Fortify study suggests that all open source projects should have a security-specific email alias, a prominent link to security information and easy access to a security expert. These are indeed industry best practices, and it would be foolish to argue against any of them. Actian follows these best practices, and to learn more about Actian vulnerabilities, visit http://www.actian.com/support/security-announcements.php.
We take security seriously at Actian. In many cases the data stored in an Actian database is sensitive and it’s imperative that we follow security best practices in our development and support processes and that the product provides all the necessary security features required by the enterprise.