Is code auditing of open source apps necessary before deployment?
Posted on 23 December 2009.
Following Sun Microsystems' decision to release a raft of open source applications to support its secure cloud computing strategy, companies may be wondering if they should conduct security tests of their customized open source software before deployment.

"Given the significant savings to be had from using open source applications, Sun's strategy is a security testing at all stages in the customization process," said Richard Kirk, Fortify European Director.

"It's also good to see Sun announcing its support for the new security guidance from the Cloud Security Alliance, since this means that its open source apps will support the best practice guidelines, which is essential when supporting a private cloud infrastructure," he added.

According to Kirk, whilst the use of encryption and VPNs to extend a secure bridge between a company IT resource and a private cloud facility is very positive - especially now that Amazon is best testing its pay-as-you-go private cloud facility - it's important that the underlying application code is also secure.

Security in any IT resource, he explained, is only as strong as the weakest link, so it's just as important to secure the source code of the software being used as it is to defend the cloud environment, as well as other aspects of a company's IT systems.

"Sun's strategy in opting for open source cloud security tools - including OpenSolaris VPC Gateway, Immutable Service Containers, Security Enhanced Virtual Machine Images and a Cloud Safety Box - is excellent news on the private cloud security front," he said.

"Even so, if businesses go down this route, it's critically important that they invest some of the costs saved by taking the open source path, in security at the program code development and customisation stages. This will help them to create an even more robust solution," he added.





Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //