Over Half of Software Fails First Security Tests 145
An anonymous reader writes "Even with all of the emphasis on writing software with security in mind, most software applications remain riddled with security holes, according to a new report released today about the actual security quality of all types of software. Close to 60 percent of the applications tested by application security company Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing. And this data is based on software developers who took the time and effort to have their code tested — who knows about the others."
Reader sgtrock pointed out another interesting snippet from the article: "'The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That's encouraging,' Oberg says. And it was the quickest to remediate any flaws: 'It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,' he says."
Well now (Score:5, Informative)
That's extrapolating a bit much, isn't it? And scanning through the article, they don't even name the sample size, just percentages.
And yes, they mention that its only the stuff that they test, "so imagine what the rest is like". Well - thats it though, if someone is professionally developing with security in mind, they probably know how to test it in office or know somebody who can. Thus - no need to pay this corporation to test something you can do yourself.
If you are developing with security in mind - but aren't sure exactly what you're looking to protect against - THATS when you go to companies like these.
This is a pretty much skewed data source (probably a slashvertisement for them, too), and is the only study of its type. Take it with a weeks worth of salt.
What about commercial open source software (Score:5, Informative)
So lots of comparisons between open source and commercial software; however there is a lot of open source software that is sold, i.e. commercial. In addition it has been shown that most of the code for the Linux kernel was developed by people who were paid to do it by Red Hat, IBM, Intel and others. Does that mean that the Linux Kernel is commercial software.
May be the article should refer to closed source proprietary and open source software.
The article reads as if the author does not fully understand the how Open Source software is developed and is just a large advert (a.k.a. press release) for the auditing software.
Re:Open source doesn't necessarily mean dangerous (Score:4, Informative)
Quite the opposite. OSS is often far more secure than its "commercial" counterpart, for the obvious reasons.
1) No deadline. OSS is usually "done when it's done". Most OSS software I know is in perpetual beta, never reaching what its maker would call a "release state", but offers at least the same level of security and stability (if not better) as its commercial counterpart. Simply because there is no date we have to push something out the door, secure or not, ready or not, we have to make it for christmas (or for the new Windows version).
2) No need to "sell" the software. You needn't dumb down and strip security so potential customers accept the level of burden security adds to the fold. Security is never free. It always comes at the price of overhead. When you have two software tools available, customers will pick the one that is more "accessible". Which usually also is the less secure one. Because security often adds layers of additional overhead (either to you, the user, slowing you down and requiring you to enter passwords or access things in a certain way, maybe even with additional tools instead of from "inside" the tool you're mainly using, or to the system, meaning your software will run slower).
3) Peer review. Your code can easily be reviewed by thousands of "hackers" trying to find an easy way into your system, instead of having to poke at decompiled code. If you can read the source, far more people are able to poke and prod at it, resulting in more secure software instead of less, because security holes get found faster and, in turn, fixed faster. By the time you start using the product, a few months after its release, you may rest assured that all the easy to find security holes have been found by hobbyists. With CSS you often need experienced ASM cracks to dig those holes up, resulting in fewer people able to look at those holes and thus a slower patching cycle.
Re:Security is no selling point (Score:4, Informative)
Actually, good security would be a GREAT selling point, if someone actually implemented it.
Security is the ability to run code without unwanted side effects. Windows, Mac, Linux do not offer a simple way to do this. The closest you can get is either Sandboxie on Windows, AppArmor on Linux, or setting up a VM per program.
If you offered a way to specify the limits of side effects on an application before and while it runs, you could make a ton of people very happy. I suspect there is some money to be made there as well.
Obsolete? (Score:3, Informative)
The conventional wisdom is that open source is risky.
Does anyone believe that anymore, other than journalists quoting other journalists and PR people?
I did some google searching, trying to find when that old FUD campaign started. It seems to not show up much until 1998.
The 12 year old advertising/FUD campaign is getting kind of tired.
Re:That's great. (Score:3, Informative)
I agree to the extent that compatibility is an important selling point and it also limits their ability to change their OS.
I'm not so willing to concede that the registry is an example of a design flaw. You have to consider the design within its context. For an explanation of why the registry was created and a discussion for and against it see http://blogs.msdn.com/oldnewthing/archive/2007/11/26/6523907.aspx [msdn.com]
Re:That's great. (Score:3, Informative)
We scan selected open source projects on a pro bono basis and reach out to the project teams to share the findings with them.
Disclaimer: I work for Veracode and was a coauthor of the report.
Re:Security is no selling point (Score:3, Informative)
Your entire rant is based on a false premise. In most cases, security actually increases "comfort" or "convenience." It's damn inconvenient to use a system which crashes, misbehaves, and needs to be frequently rebuilt due to security problems. Removing buffer overflow vulnerabilities from your software in no way inconveniences your users.
Authentication is perhaps the only piece that sometimes is inconvenient. Just typing your username to log in is more convenient than having to type a password. But that's the exception to the rule. And systems which time you out while you're using them, and don't integrate with SSO, are actually not "more secure," they're just badly-implemented. So that's not a trade-off either.