Government // Mobile & Wireless
11:38 AM
The Analytics Job and Salary Outlook for 2016
Jan 28, 2016
With data science and big data top-of-mind for all types of organizations, hiring analytics profes ...Read More>>

Open-Source Apps Earn Software Security Seal Of Approval

Two prominent open-source projects recently got a thumbs-up from Veracode, a company that applies a standards-based approach to software vulnerability testing.

Two prominent open-source projects recently got a thumbs-up from Veracode, a company that applies a standards-based approach to software vulnerability testing.The two open-source apps, OpenVPN and the Sendmail Mail Transfer Agent, are both extremely popular among business users. According to a Veracode press release, its "A" rating indicates that a software developer has "developed a secure application that has been independently evaluated for software vulnerabilities against industry standards."

Security is a major concern for both projects. OpenVPN is a widely used tool for creating point-to-point encrypted network connections, and Sendmail MTA is the single most widely used application of its type -- open-source or proprietary -- in use today.

Third-party software vulnerability testing is a growth market, and Veracode is one of the companies at the forefront of this industry. The company tests both open-source and proprietary applications using several independent software-security standards.

The idea is to provide an impartial, objective source of software security assessments. Veracode is a for-profit company that charges software developers for its assessments; the idea is that companies whose products receive a high security rating will be able to market themselves more effectively to customers.

Since Veracode's tests are applied to compiled code, proprietary software vendors are able to submit their products for testing without being forced to reveal their source code to an outside organization. (Of course, this isn't a problem for open-source software such as OpenVPN and Sendmail.)

This approach offers some obvious benefits. First and foremost, it assures software users that a product has been tested extensively against a consistent set of standard software-security criteria. That doesn't guarantee that an application is completely free of potential security flaws, but it certainly offers an additional measure of assurance.

On the other hand, it is possible to argue that a for-profit company like Veracode might face pressure to adjust its results to satisfy its paying customers -- that is, the companies that submit their software for testing. It's an obvious concern, although Veracode's implementation of industry-standard software security benchmarks provides an obvious way to avoid the problem.

Software vulnerability testing isn't a totally effective way to detect potential security flaws. It is, however, an important new addition to the software security arsenal. And for business users, these types of third-party testing and rating schemes are definitely worth considering as part of any software evaluation process.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
How to Knock Down Barriers to Effective Risk Management
Risk management today is a hodgepodge of systems, siloed approaches, and poor data collection practices. That isn't how it should be.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.