July 24th, 2008

Ingres gives Fortify security study a good fisking

Posted by Dana Blankenhorn @ 9:22 am

Categories: General, Applications, Development, Enterprise Policy, Infrastructure, Database Management, Security, management

Tags: Ingres, Databases, Security, Enterprise Software, Software, Data Management, Dana Blankenhorn

Since Fortify released its security study, unleashing the FUD flood, I have been waiting for someone to give it a good fisking.

Today we have a winner. Meet Emma McGrattan, senior vice president of engineering for Ingres, an open source database outfit.

McGrattan is no dirty hippie blogger. She is a candidate for the board of Eclipse, from which the photo was taken. And she’s a graduate of Dublin City University in Ireland, for my money the real fighting Irish.

Her main points:

1. There are other security toolkits other than Fortify. Just because you don’t use their system doesn’t mean you don’t care.
2. When reading vendor-sponsored studies consider the source. Always a wise move.
3. Open source projects in Fortify’s Open Review report fewer defects per thousand lines of code than proprietary products in the same review. I didn’t know that.

Many of Fortify’s recommendations are cheap and easy to implement, McGrattan notes, and all projects should do more to protect their users.

Like post a security-specific e-mail alias on your Web site and have an expert on standby for questions concerning attacks.

Being transparent about your own vulnerabilities is also a good thing. Ingres is. Transparency does a lot more for everyone’s security than opacity. That’s just my personal bottom line.

One more point. Fortify’s study chose 11 open source projects to research. Ingres was not one of them.