Many software developers and enterprise users have been lax or oblivious to the need to properly manage open source software, suggest survey results Flexera released Tuesday.Companies are not mindful of open source components and fail to monitor security implications, according to the report, which highlights the consequences of failure to establish open source acquisition and usage policies, and to follow best practices.Flexera polled more than 400 commercial software suppliers and in-house software development teams within enterprises about their open source practices.More than half of the software products currently in use contain open source components, based on the survey's findings.Open source software allows companies to be nimble in their development, but the risks and security implications are grossly overlooked and not adequately managed, according to Flexera's research team."We did this study to put some numbers behind what we have been seeing with open source developers … [Read more...] about Companies Turn Blind Eye to Open Source Security Risks
Open source security
Rapid7 is buying Metasploit, and promising to advance open source penetration testing and the Metasploit Project, which develops exploits against known vulnerabilities. Hottest tech M&A deals of 2009The upside for Rapid7, a commercial security testing company, is that it will use Metasploit resources to expand capabilities of its NeXpose vulnerability management software.Open Source Definition and Solutions Slideshow: Top 10 Open Source Hall of FamersRapid7 says the deal will provide it with better data about exploits so its customers can discover and fix vulnerabilities that could lead to successful attacks against their networks, the company says. The parties are not saying how much Rapid7 paid for Metasploit.Meanwhile, the all-volunteer Metasploit Project will gain a full-time development staff led by its originator H.D. Moore, who becomes chief architect for the project supported by an exploit developer, a user-interface designer and a quality assurance engineer, according to … [Read more...] about Open Source Security Project Could Get a Boost with Metasploit Buy
Open source is a wonderful thing. A significant chunk of today’s enterprise IT and personal technology depends on open source software. But even while open source software is widely used in networking, operating systems, and virtualization, enterprise security platforms still tend to be proprietary and vendor-locked. Fortunately, that’s changing. If you haven’t been looking to open source to help address your security needs, it’s a shame—you’re missing out on a growing number of freely available tools for protecting your networks, hosts, and data. The best part is, many of these tools come from active projects backed by well-known sources you can trust, such as leading security companies and major cloud operators. And many have been tested in the biggest and most challenging environments you can imagine. Open source has always been a rich source of tools for security professionals—Metasploit, the open source penetration testing … [Read more...] about 5 open source security tools too good to ignore
Germany's Federal Office for Information Security (BSI) will present several new open source-based desktop and security applications on Wednesday at a local Linux event.The applications include an e-mail encryption tool for Windows users, a security suite for the public and private sectors, and desktop systems for public administrations, BSI said Tuesday.The GNU Privacy Guard for Windows (gpg4win) application is based on the free software GnuPG, designed to enable data encryption and easy integration with other applications, including Microsoft's Outlook 2003. The software, available for free under terms of the GNU General Public License, can be used not only by public administrations and businesses but also by consumers.The product is available for download at: http://www.gpg4win.de.BSI's open source security suite (BOSS) allows public and private sector organizations to centrally monitor the security of their entire IT networks. The application is based largely on the open … [Read more...] about German agency to release open source security suite
If there’s a poster child for the challenges facing open source security, it may be Werner Koch, the German developer who wrote and for the last 18 years has toiled to maintain Gnu Privacy Guard (GnuPG), a pillar of the open source software ecosystem.Since its first production release in 1999, GnuPG has become one of the most widely used open source security tools in the world, protecting the email communication of everyone from government officials to Edward Snowden.Yet Koch found himself struggling to make ends meet in recent years. The estimated $25,000 he collected on average in annual donations since 2001 weren’t enough to support his efforts. As reported by Pro Publica, the 53-year-old was close to throwing in the towel on GnuPG when Edward Snowden’s NSA revelations shocked the world, convincing Koch to soldier on. "I'm too idealistic," he said.The story has a happy ending. After the ProPublica story broke, donors from around the world rushed to support Koch. He … [Read more...] about The state of open source security
The 200 applications reviewed by Black Duck Software for its "State of Open Source Security in Commercial Applications" report used an average of 105 open source components, comprising 35% of the code. That's twice as much open source as the companies participating in Black Duck's audits were aware they used, according to the report.With this in mind, the report's findings, summarized in the infographic below, are cause for even greater concern.Among the highlights:Over half (67%) of applications reviewed, contain known open source security vulnerabilities39.5% of the open source vulnerabilities in each application were rated as “severe"10% of applications reviewed contained the popular and now well-known Heartbleed vulnerabilityThis infographic, based on the Black Duck report, offers valuable insights into the state of open source security. … [Read more...] about Your open source security problem is worse than you think
Red Hat recently open sourced the Red Hat certificate system - software for managing user identities and privacy on a network. However, does open sourcing security software make it more secure, or does opening the code lead to vulnerabilities?An excerpt from Washington Post:The Linux vendor said Wednesday it has released the entire source code for the Red Hat Certificate System, its security framework for managing user identities and transactions on a network. Red Hat acquired the system from AOL three years ago, but only parts of the system, which uses the Apache Web server and the Red Hat Directory Server, were open source.There are several benefits in opening up the code, chief among them being the integration with open standards-based technologies. But open source also has this meta-hole problem mentioned by Dana Blankenhorn at ZDNet.This implies that it all comes down to the individuals assessing the code. But does the community of open-source developers top the scrutinizing … [Read more...] about Does open sourcing security framework lead to more secure software?
Really? Did I wake up this morning only to find that Dr. Emmett Brown successfully teleported me Back to the Future with his Delorean? Or are the majority of people polled by Forrester that clueless and is Forrester that irresponsible?Let me break it down for you. In two reports done by Forrester ("The State of SMB Software: 2009" and "The State of Enterprise Software: 2009.") of the 2,227 people polled:58% of large companies had security concerns about open source.two-thirds of small to midsized businesses had security concerns with open source.9% of enterprises said they were "very concerned" with open source security.45% of small to midsized businesses were "very concerned" with open source security.I would like to ask both Forrester and those polled a few questions myself. To Forrester I would ask you:"Who is funding these surveys?""Do you know anything enough about open source yourself to actually create a fair poll?What's with the large change between enterprise and SMB in the … [Read more...] about Companies still concerned about open source security? Really?
Discussions of the relative security benefits of an open source development model — like comparative discussions in any realm — all too often revolve around only one factor at a time. Such discussions tend to get so caught up in their own intricacies that by their ends nobody is looking at the big picture any longer, and any value such discussions might have had has already evaporated.When trying to engage in a truly productive exchange of ideas, it is helpful to keep in mind the fact that when something is worth doing, it is usually worth doing for more than one reason. This applies to the security benefits of an open source development model, as it does to other topics of discussion. A small number of such factors behind the security benefits of open source development are examined here:Probably the most common and obvious scratching post in online discussions of open source security is the so-called "many eyes" theory of software security. The simple version is often … [Read more...] about Key open source security benefits