In April 2007, I published a darkreading article on the size of the software security space with some analysis of what was happening. It took me a bit longer to gather the numbers this year, but I finally got what I needed and published an informIT article recently explaining how software security is growing.

I am very optimistic about the growth of the software security field over the last few years. Things are certainly moving in the right direction (toward white box analysis instead of outside->in black box, out of the myopic focus on Web apps, and toward full-lifecycle programs based on the touchpoints). The numbers show this growth and these trends objectively.

On a top secret mailing list I participate in, there was some recent discussion about a recent article published by Fortify slamming the Open Source community for failing to adopt software security (you can find the article on the Fortify website). Here’s what I posted to the list (identities masked to preserve secret identities):

I just downloaded and read the Fortify study. It’s more of a white paper than it is science, but it is reasonably well presented and seems not to be too terribly fluffy. You can download a copy for yourself from the Fortify website. In the end what we have is some evidence that there are some open source projects that are behind the curve from a security perspective. I don’t think this should come as a surprise to anyone.

Some specifics based on other postings:

[DoD open source guy] sez>> First, it’s Java-heavy.

This is true. As far as I know, all of Fortify’s open source work has been Java-based (see the Java Open Review project). I don’t see why this impacts the results very much. Though open source Java projects may be a bit less responsive to security, the conclusions in the report are clear about just what set of projects were considered. Then again, I am not at all sure what methods were used to pick 11 out of 101 JOR projects.

[Apache leader] sez>> My experience on the security team at Apache…

Incidentally, when it comes to the results reported, Apache (Tomcat) is the only one of the eleven projects that is reported to have security-specific email, links to security info and access to security experts. One the other hand Apache (Struts) is reported not to have these things, which [DoD open source guy] argues is misleading since the Apache ASF page has these things.

[crypto open source guy] sez >> A better summary would have been “Many developers still don’t care about security.”

Sadly this is true. However as an evangelist in the space I will point out that the commercial world appears to be making much better headway in software security than the open source community (present company excepted of course but I am donning my asbestos suit anyway). I think many of the reasons why commercial software has an unfair advantage were covered in a panel on open source and security that Peter Neumann, Fred Schneider, and I all participated in at Oakland in 2000 (I can dig up e-copies if anybody cares).

One project was singled out for good software security practice: Mozilla. Should we all try to be more like Mozilla?

The debate did not rage on on the top secret list, but it must be raging on somewhere, because Roger Thornton just posted a response to the Fortify blog which you cab read here.

Frankly I was hoping that we killed this thing dead at Oakland in 2000. Guess again!