Open-Source Apps Earn Software Security Seal Of Approval - InformationWeek
IoT
IoT
Government // Mobile & Wireless
Commentary
7/23/2009
11:38 AM
50%
50%
RELATED EVENTS
How to Talk to Your Management about IT Security
Aug 30, 2017
This webinar will bring you some new methods for describing and measuring your cybersecurity initi ...Read More>>

Open-Source Apps Earn Software Security Seal Of Approval

Two prominent open-source projects recently got a thumbs-up from Veracode, a company that applies a standards-based approach to software vulnerability testing.

Two prominent open-source projects recently got a thumbs-up from Veracode, a company that applies a standards-based approach to software vulnerability testing.The two open-source apps, OpenVPN and the Sendmail Mail Transfer Agent, are both extremely popular among business users. According to a Veracode press release, its "A" rating indicates that a software developer has "developed a secure application that has been independently evaluated for software vulnerabilities against industry standards."

Security is a major concern for both projects. OpenVPN is a widely used tool for creating point-to-point encrypted network connections, and Sendmail MTA is the single most widely used application of its type -- open-source or proprietary -- in use today.

Third-party software vulnerability testing is a growth market, and Veracode is one of the companies at the forefront of this industry. The company tests both open-source and proprietary applications using several independent software-security standards.

The idea is to provide an impartial, objective source of software security assessments. Veracode is a for-profit company that charges software developers for its assessments; the idea is that companies whose products receive a high security rating will be able to market themselves more effectively to customers.

Since Veracode's tests are applied to compiled code, proprietary software vendors are able to submit their products for testing without being forced to reveal their source code to an outside organization. (Of course, this isn't a problem for open-source software such as OpenVPN and Sendmail.)

This approach offers some obvious benefits. First and foremost, it assures software users that a product has been tested extensively against a consistent set of standard software-security criteria. That doesn't guarantee that an application is completely free of potential security flaws, but it certainly offers an additional measure of assurance.

On the other hand, it is possible to argue that a for-profit company like Veracode might face pressure to adjust its results to satisfy its paying customers -- that is, the companies that submit their software for testing. It's an obvious concern, although Veracode's implementation of industry-standard software security benchmarks provides an obvious way to avoid the problem.

Software vulnerability testing isn't a totally effective way to detect potential security flaws. It is, however, an important new addition to the software security arsenal. And for business users, these types of third-party testing and rating schemes are definitely worth considering as part of any software evaluation process.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll