Ounce Labs: Open Source Software is Getting a Bad Rap on Security
Application security leader refutes misleading vendor statements about open source security risks
According to Ounce Labs’
Danahy adds, “Some in the industry will have you believe that there are inherent security problems in the development methodology of open source software that expose users to greater risk of security breaches. In our experience with customers, and in our work supporting the open source community, we have found strikingly little difference in the overall security of open source programs and those developed in a more proprietary manner. Our own people, our partners, and our customers have used the Ounce Labs’ suite of tools to examine literally billions of lines of code, and there is not a stark differentiation between the two. The bottom line is this: there is an endless supply of both secure and vulnerable software across the commercial, open source and proprietary domains. The assessment of the scope, severity, and situational impact of those vulnerabilities should be a core process in any software acquisition, regardless of the source.”
Flexibility, cost, and enterprise-level features have always been key factors for organizations that choose open source over commercial technology. Open source software is a valuable option in today’s enterprise, but just as with commercial software, vulnerability management and mitigation should be a top concern for any company that depends on software to run its business. In order to mitigate the business risk created by insecure software, it is imperative that companies adopt a process that allows them to assess, remediate and prevent security vulnerabilities in all of their business software.
“Open source software can deliver enormous value and it’s not difficult for enterprises to perform the necessary analysis and remediation to ensure that it has suitable security,” added Danahy. “This is why organizations like the U.K. government can investigate and potentially accelerate the use of open source software. They understand that open source is no less secure than any other form of software, as long as all software is analyzed in advance of deployment by either the developer or the purchaser, to ensure that it meets the necessary security requirements.”
As a testament to its commitment to the open source community, Ounce Labs has contributed an Ounce/Maven Plug-in designed to support the Maven platform and provide drop-in integration and scanning of all projects using Maven. In addition, Ounce Labs has also released an entire framework under open source licensing, called Open Ounce – O2, so enterprises can use the product in new ways to strengthen security across critical applications.
“Open source is here to stay,” Danahy concluded. “I do not believe that the appropriate move is to mindlessly criticize the investigation of open source, and would rather have security vendors help customers gain maximum benefit from it by recommending consistent and sound security practices.”
About Ounce Labs, Inc.
Ounce Labs’ industry-leading Static Application Security Testing (SAST) suite brings enterprise-wide awareness of business critical vulnerabilities. With this ability to identify and prioritize issues, organizations have the information they need to address their greatest risks. Ounce’s patented source code analysis delivers the scalability and automation to help organizations such as EDS, IBM, Intel, and Lockheed Martin strengthen application security and protect confidential information. Ounce also helps organizations to verify regulatory and policy compliance, addressing PCI DSS, FISMA, HIPAA and others. For more information, please visit www.ouncelabs.com.
Ounce Labs is a registered trademark of Ounce Labs, Inc. in the
Media Contacts:
Jennifer Sullivan Brenda Menard
Ounce Labs Davies Murphy Group
781.547.7013 781.418.2435
jennifer.sullivan@ouncelabs.com ounce@daviesmurphy.com
http://www.ouncelabs.com http://www.daviesmurphy.com
SOURCE Ounce Labs