Experts On Demand

RSS Experton Group on Twitter Experton Group Blog Experton Group on YouTube

Security and Open Source

According to a new survey conducted by EMC Corp.'s RSA division and Carnegie-Mellon University, corporate boards of directors and senior executives fall short in privacy and security best management practices. RSA also announced new security offerings enabling threat information sharing and assuring trust for mobile business and cloud computing. Meanwhile, the just-released 2011 Coverity Scan Open Source Integrity Report finds that open source code has fewer defects per thousand lines of code than proprietary software code does.

Focal Points:

  • A survey of the Forbes 500 list of CEOs, CFOs, CROs, and board members of governance practices found most boards and senior executives are not reviewing privacy and IT budgets, roles and responsibilities, and IT risk assessments. 42 percent of the boards rarely or never review and approve top-level policies on privacy and IT security risks. When it comes to reviewing and approving roles and responsibilities of lead personnel, 66 percent rarely or never perform the reviews. Similarly, only 54 percent of the boards and senior executives rarely or never review and approve annual budgets for privacy and IT security programs. On the positive front, 38 percent of the boards and senior executives review the reports regularly while 34 percent review them occasionally and 25 percent rarely or never look at them.
  • RSA announced a new version of NetWitness Live, a 24x7 service that aggregates relevant threat intelligence information, and an experimental cloud-based POC framework designed to assist the global security community improve intelligence sharing and collaboration. The POC framework allows organizations and outside security experts to collaborate to detect, investigate and remedy advanced security threats. Working with business partners RSA has created a security ecosystem strategy for mobile devices. The strategy addresses the network and network controls, device app management, and the device itself. The network control partners are Good Technology Inc., Juniper Networks Inc., and zScaler Inc. while app management partners are Appcelerator Inc.Citrix Systems Inc., FeedHenry Ltd., Good, VMware Inc. and device management partners are Appcelerator, FeedHenry and Good.
  • Coverity Inc. made public the results of its 2011 Scan Open Source Integrity Report. The Scan project, which was originally launched by Coverity and the U.S. Department of Homeland Security, is the largest public-private sector research effort focused on open source software integrity. This year's analysis included more than 37 million lines of open source software code and more than 300 million lines of proprietary software code from a sample of anonymous Coverity users. The company found that in proprietary codebases, which averaged 7.5 million lines of code in size, the average number of defects per thousand lines of code was 0.64. Open source software did even better – with an average open source project size of 832,000 lines of code, the average defect density was 0.45 defects per thousand lines of code. Furthermore, among open source projects, Linux 2.6, PHP 5.3, and PostgreSQL 9.1 can be used as industry benchmarks, the company said, with defect densities of 0.62, 0.20, and 0.21, respectively.

Experton Group believes enterprises have to live in a state of compromise when it comes to security but the failure of boards and senior executives to meet their fiduciary responsibilities creates an unnecessary risk exposure. In turn, it pushes the entire risk exposure and blame down to the IT executive level. IT executives should view this as totally unacceptable. IT executives cannot bear the sole responsibility for impacts to brand image, business results, intellectual property (IP) loss, and legal repercussions. These are board and senior management governance and policy decisions. Thus, IT executives must take the lead in getting the board and top management to step up to their fiduciary responsibilities. Experton Group expects to see more announcements like the RSA ones where the use of a global security community is used to improve the ability to detect, investigate and remedy advanced persistent threats (APTs). Companies and governments are going to have to work together to minimize APTs from well-funded competitors, hacktivists, and nation-states; and boards will need to be in the decision and governance loop. IT executives should alert senior management to the trends and impacts of the world of APTs and the actions needed to minimize security risks. Lastly, the Scan Open Source Integrity Report paints a positive picture of open source and proprietary code quality, in terms of true code defects only. It would be wonderful world if new releases (in-house and vendor) came with such low levels of defects. However, these data points do provide a metric against which IT executives can measure prospective software providers and internal development teams. IT executives should push for disclosure of code defects from providers and should add the defect measurement to the list of metrics against which operations measures software providers and development groups.