Posted in: Latest News & Views, Software
In many cases, open source software can help companies save money. But will those applications introduce new security threats?
IT security experts often disagree about the relative security of open source software. Some observers say many open source developers don’t have incentives to fix security vulnerabilities, so they often go unpatched.
However, others point out that the attention paid to security varies across different communities and that while some may not have a strong record with security, others have been very effective at delivering patches.
Also, some argue, open source applications are often less widely used than their commercial counterparts, so they aren’t attacked as often.
The debate has heated up recently as some researchers have pointed out the security deficiencies in some open source projects. For example, in a presentation at the recent RSA security conference, researchers from Sourcefire presented findings of a study of security vulnerabilities in open source and commercial software.
One finding: When all of the major distributions of the open source operating system were combined, Linux had more vulnerabilities reported in 2012 (1,752) than all versions of Windows combined (1,114).
Also, when comparing web browsers, Sourcefire found that the open source Mozilla Firefox contained the highest number of critical vulnerabilities last year, with 433 — even more than Internet Explorer which is often considered a higher risk based on the number of attacks that the target the browser.
Plan open source implementations
In the end, all software is going to have vulnerabilities — whether it’s commercially sold or open source. However, the debate about open source security should make one thing clear for organizations: It’s important to take security into account when considering open source implementations.
Some questions IT should ask before choosing an open source application:
- How active is the community? Take a look at discussion boards and the frequency of updates. That will give you an idea of how many people are developing the app and how quickly bugs get fixed.
- Are there regular security patches? Find out if the project has established practices for identifying vulnerabilities and fixing them.
- What kind of quality assurance process is there? Check the process being followed by developers for each release. If it’s not up to your standards, look somewhere else.
- How have other businesses used it? The best way to see if an open source project will work for you? Tap into the community and find a business similar to yours that has tried it.
FinanceTechNews.com delivers the latest Finance news once a week to the inboxes of over 150,000 Finance professionals.