Skip Links

Network World

Amy Vernon

Open source, proprietary - all software is insecure

Report outlines need for better security reviews of software, no matter the source.

By Amy Vernon on Wed, 03/03/10 - 1:10pm.

Guess what? All software is basically insecure, a new report finds — and, yes, that means open source isn't much better than proprietary.

Each side in the battle between open source and proprietary software has plenty of ammunition in the argument as to whether they're safer against the evils of malware, bugs or other vulnerabilities. Probably anything I'd say here, anything I'd cite, would be soundly rebutted by the other side, which would then be soundly rebutted from the other side.

Heck, I've half a mind to just close comments on this post before it's even up. Not that I'd do that, of course, because I'm a First Amendment kind of gal.

So with all that in mind, I found a report released this week by Veracode rather interesting. The "State of Software Security Report" basically came to the conclusion that all software is pretty insecure. Open, closed, doesn't much matter. "The Intractable Problem of Insecure Software," they called it.

Now, in reading the executive summary, I kept in mind that Veracode basically makes its living validating the security of open source software. But that doesn't necessarily mean it has an inherent bias against or for open source. Again, arguments might be made in either direction, so I'll leave that to those of you who enjoy that kind of thing.

So, if all software is pretty insecure, according to the report, it doesn't matter if you have Windows, a Mac OS or a Linux-based system. You probably have a mix of proprietary and open source software on your machine or your 'puter talks to other machines that have a mix.

Veracode's key findings:

1. Most software is indeed very insecure.
2. Third-party software is a significant percentage of the enterprise software infrastructure, and third-party components are a significant percentage of most applications.
3. Open source projects have comparable security, faster remediation times, and fewer Potential Backdoors than Commercial or Outsourced software.
4. A significant amount of Commercial and Open Source software is written in C/C++ making it disproportionately susceptible to vulnerabilities that allow attackers to gain control of systems.
5. The pervasiveness of easily remedied vulnerabilities indicates a lack of developer education on secure coding.
6. Software of all types from Finance and Government sectors was relatively more secure on first
submission to Veracode for testing.
7. Outsourced software is assessed the least, suggesting the absence of contractual security acceptance criteria.

It seems likely that open source projects get fixed faster than proprietary because there's less red tape. Having worked for a major corporation and as a freelancer, I can attest to the fact that things just take longer when there's a bureaucracy to wade through, even when everyone involved has the best of intentions.

But the fact that just 39 percent of OSS and 38 percent of commercial applications were considered by Veracode to be "acceptable on first submission" should comfort no one. And companies that build their own software for internal use did even worse - only a 31 percent acceptable rate. (The benchmark: the CWE/SANS Top 25 Most Dangerous Programming Errors.)

Part of the problems is the ubiquity of C/C++ applications; 42 percent of those analyzed had vulnerabilities that could have led to remote code execution. The main problem, however, is not so much the language, but the fact that software bought from outside vendors is rarely reviewed for security.

The good news, though, is that among the 15 industries included in the review, government and finance fared the best, with 52 percent of software from the former getting the thumbs up on the first try and 50 percent from the latter. Considering they're more likely than any industry to have your sensitive information on file, that's a bit of a relief, but is 50-50 good enough?

The take-away? Everyone needs to do a better in reviewing the security of their software. Everyone.

About Pragmatic Source

After nearly 20 years as a professional journalist for large and small daily newspapers in Florida, Arizona and New York, Amy was part of the Great Newspaper Culling of 2008. That was a good thing. Now, Amy writes for a variety of websites, including NetworkWorld, Discovery's Parentables and Soshable and consults with a variety of sites on their social media strategy.

She also has created the first - and only - bacon news aggregator on the Internet, Bacon Queen and has altogether too many Tumblogs. Amy is the top female user of all time on Digg.com and spends altogether too much time on the computer. You can follow her on Twitter and find more out about her on her website.

 

Most Discussed Posts

Blog Roll
Amy Vernon's Parentables blog
http://parentables.howstuffworks.com/author/amy-vernon/Bacon Queen
Posterous
http://amyvernon.posterous.com/
Tumblr
http://amyvernon.tumblr.com/
Google Voice, Transcribed
http://www.gvtranscribe.com/
Blog Comment Spam
http://blogcommentspam.tumblr.com/