European institutions should use available security tools more often
Developers of open source software are generally more aware of code security issues than developers working for the European institutions, according to a study conducted on behalf of the European Commission and European Parliament. Developers working for the European institutions have more tools available for management and testing of code security, but using them is not yet standard practice.
Open source developers should have more testing environments, and should perform more security testing, the study recommends.
To compare code security methods used by open source communities and software development projects in the European institutions, the study looks at ten segments commonly found in software development, such as project management, release management, software testing, and incident management. For each segment, the report lists conclusions and recommendations. For example: project management is more efficient at the European institutions, and the study recommends that, if possible, free software groups improve in this area.
To shore up software security, the authors suggest that the European institutions and free software groups standardise their security definitions and that both use standard authentication mechanisms.
The report is one of the results of the ‘EU Free and Open Source Software Auditing’ EU-Fossa project, which ends in December. This project will establish a formal process that will let the European institutions contribute the results of their software security reviews back to the open source communities.