The dust has not yet settled on the recent discussion in the media on the security worthiness of Open Source Software. In continuation of my assertion that Open Source software can be as secure as one intends to be, I will be making a presentation titled "Securing Open Source" at the DHS Software Assurance Forum at NIST in October. The DHS National Cyber Security Division is the main sponsor of this forum.
What will my presentation talk about? Well, once it is ready I will post it here. In the meantime, I would like to talk about the secure practices we undertake in JBoss development as well as lessons learned during the ongoing Common Criteria Evaluation of JBoss EAP 4.3.
This month, I am moderating a panel as well as chairing sessions at the Oasis Security Forum in London. Stop by if you live in and around London. :)
So what really goes into securing open source? It is mainly the processes followed in the development and maintenance phases of the software. Many a times, open source software is written by enthusiasts and philanthropic developers for whom getting the latest innovation out is of primary importance. In these cases, there certainly is a lack of significance associated to security and maintenance. But these cases do not become the general trend for open source. For Open source projects/products such as Apache Httpd, tomcat, Linux (Red Hat) and JBoss, you have a company(ies) standing behind the success of the project. In these cases, security is dealt with as and when needed. Every security vulnerability is fixed as soon as possible.
Read more here.