Open-Source Apps Earn Software Security Seal Of Approval - InformationWeek
Government // Mobile & Wireless
11:38 AM
Ransomware: Latest Developments & How to Defend Against Them
Nov 01, 2017
Ransomware is one of the fastest growing types of malware, and new breeds that escalate quickly ar ...Read More>>

Open-Source Apps Earn Software Security Seal Of Approval

Two prominent open-source projects recently got a thumbs-up from Veracode, a company that applies a standards-based approach to software vulnerability testing.

Two prominent open-source projects recently got a thumbs-up from Veracode, a company that applies a standards-based approach to software vulnerability testing.The two open-source apps, OpenVPN and the Sendmail Mail Transfer Agent, are both extremely popular among business users. According to a Veracode press release, its "A" rating indicates that a software developer has "developed a secure application that has been independently evaluated for software vulnerabilities against industry standards."

Security is a major concern for both projects. OpenVPN is a widely used tool for creating point-to-point encrypted network connections, and Sendmail MTA is the single most widely used application of its type -- open-source or proprietary -- in use today.

Third-party software vulnerability testing is a growth market, and Veracode is one of the companies at the forefront of this industry. The company tests both open-source and proprietary applications using several independent software-security standards.

The idea is to provide an impartial, objective source of software security assessments. Veracode is a for-profit company that charges software developers for its assessments; the idea is that companies whose products receive a high security rating will be able to market themselves more effectively to customers.

Since Veracode's tests are applied to compiled code, proprietary software vendors are able to submit their products for testing without being forced to reveal their source code to an outside organization. (Of course, this isn't a problem for open-source software such as OpenVPN and Sendmail.)

This approach offers some obvious benefits. First and foremost, it assures software users that a product has been tested extensively against a consistent set of standard software-security criteria. That doesn't guarantee that an application is completely free of potential security flaws, but it certainly offers an additional measure of assurance.

On the other hand, it is possible to argue that a for-profit company like Veracode might face pressure to adjust its results to satisfy its paying customers -- that is, the companies that submit their software for testing. It's an obvious concern, although Veracode's implementation of industry-standard software security benchmarks provides an obvious way to avoid the problem.

Software vulnerability testing isn't a totally effective way to detect potential security flaws. It is, however, an important new addition to the software security arsenal. And for business users, these types of third-party testing and rating schemes are definitely worth considering as part of any software evaluation process.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll