I’ve been receiving a lot of email in the past day or so following the publication of an open source security study, conducted by Larry Suto and sponsored by Fortify, which suggests that open source development projects are not following security best practices. The study was limited to eleven open source projects which did not include Ingres. If you weren’t already aware of it, Fortify sells the tools they believe that open source projects should be using to identify and repair vulnerabilities in their code as part of their standard development procedures. The study also recommends that open source adopters should employ these tools before deploying open source solutions in their environment. Should security tools vendors be discouraged from using scare tactics to promote their products and services? I guess not if the threat is real, but when reading vendor sponsored studies one needs to consider the source. (more…)