‘Each community is a different planet’ - authors warn
The IT security practices of some open source communities are exemplary, according to a study for the European Commission and European Parliament. Many communities use experts to ensure software security and to help their developers avoid security flaws. “These communities take security seriously”, says Alberto Dominguez Serra, one of the authors working for Everis, an IT consultancy.
The study considers the software security practices of 14 open source communities: the Debian and Redhat open source distributions, OpenStack, LibreOffice, Spring FrameWork, OpenSSL, PIWIK, OWASP, Drupal, Apache Tomcat, Jenkins, Eclipse, Bitergia and OwnCloud. It lists their methodologies, best practices, software tools and management approaches dealing with software security aspects.
To review the communities’ best practices, the authors created 54 tables, showing if a certain security best practice is used or relevant for each of the 14 communities. For example, all but one of the sampled groups use automatic code review methods and checklists. Eleven have a vulnerability response method, such as security teams or processes to deal with vulnerabilities, five use multiple or different security teams, and five use pre-designed test cases.
However, Dominguez Serra warns that the report is not an evaluation of IT security practices in all free software groups. The field is too large for just one report, he says. “It is a universe where each community is a different planet.”
The report is intended for software developers working for the European Commission and European Parliament that want to improve their understanding of open source.
The text, made public in September, is part of the two-year and EUR 1 million ‘EU Free and Open Source Software Auditing’ (EU-Fossa) project.
EU-Fossa will end in December. The project will establish a formal process that will let the European institutions contribute the results of their software security reviews back to the open source communities. EU-Fossa will also complete the code review of Apache HTTP Server and KeePass. The project is making all of its reports and studies publicly available.
EU-Fossa appreciates feedback, both on this report and the others. Those interested can join the project forums.