Security Bites 109: Open-source security

More and more governments and enterprises are using open source. A new report looks at how secure these collaborative software projects are and what needs to change.

For years, one of the arguments for using open-source software instead of proprietary software held that open source was more secure. After all, having thousands of eyes looking at the code can't but help find and mitigate potentially dangerous bugs. A new report from Fortify challenges that assertion.

Open-source software can be found in over half of the enterprises today. And open source code can be found within the Mac OS 10 operating system. But how are open source vulnerabilities and, more importantly, their patches handled?

This week a report from Fortify found that, while vulnerabilities exist and are reported within the open-source community, not every open-source project had a clearly defined contact or security alias. Nor was it clear what the process would be for issuing a patch, or how the projects conduct their own vulnerability assessments. The report looked at several known open-source projects such as JBoss and Tomcat.

CNET's Robert Vamosi spoke by phone with Roger Thornton, CTO at Fortify about the report and its findings.


Listen now: Download today's podcast

Tags:
Security
About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Galleries from CNET
    Nissan gives new Murano bold style (pictures)
    Top great space moments in 2014 (pictures)
    This is it: The Audiophiliac's top in-ear headphones of 2014 (pictures)
    ZTE's wallet-friendly Grand X (pictures)
    Lenovo reprises clever design for the Yoga Tablet 2 (Pictures)
    Top-rated reviews of the week (pictures)