One security outfit which conducted a study into the use of open source software in the enterprise, the results of which are published today, seems to think so.  It states that "Open Source Software (OSS) development communities have yet to adopt a secure development process and often leave dangerous vulnerabilities unaddressed."

New data from Fortify Software suggests that the rising adoption of open source software within the enterprise is putting the average business at far greater risk than it should.

As well as insisting that OSS development communities do not adopt a secure development process that follows software security best practise, and therefore often leaves potentially dangerous vulnerabilities unaddressed, Fortify goes on to charge that "nearly all" such OSS communities are also failing to provide users access to the kind of security expertise that could help remedy the vulnerabilities and risks that remain.
 
The survey, which was undertaken by application security consultant Larry Suto, looked at a total of just 11 of the most common Java open source packages. The evaluation of security expertise and that all important secure development process metric, was done by Fortify which claims it "interacted with open source maintainers and examined documented open source security practices" as well as downloading and scanning multiple versions of each package looking for vulnerabilities using a static analyser. Security-sensitive areas of code were also scanned manually.

What does the former cyber security advisor to the White House have to say about open source software vulnerabilities?

Click here for more info