An Examination of Secure Implementation and Maintenance for Free and Open-Source Software

This study examined the secure implementation and maintenance of free and open-source software. With the implementation of FOSS there is a requirement for conducting a security impact analysis and securely maintaining the software. Currently there is a lack of defined structure for security impact analysis conducted by security personnel within organizations with regard to FOSS. In addition, proper configuration and management of information systems is essential to providing system security. This qualitative, multiple case study examined the security impact analysis and secure software maintenance process utilized by organizations for the implementation of FOSS. The researcher used interviews with six information security managers and practitioners in three different industries; government, healthcare, and financial to collect the data for this study. A constant comparative method of analysis was used to find common methods, gain insights, and determine themes to gain a deeper understanding of how organizations conduct a security impact analysis and maintain FOSS. A document analysis compared the practitioners' answers to the organizations' policies and procedures to corroborate their actions were in line with the policies and procedures. The study's findings showed that all participants practice some form of configuration management in that they all had a defined process for authorizing, testing, documenting, and monitoring changes (Yarberry, 2007). The participants in the study implemented and maintained FOSS in the same manner as COTS products. The participants did not use the OSVDB nor did they take advantage of the patch notification provided by sites such as SourceForge. Identification of products and their source was left up to the user. Participants stated once FOSS is implemented, patching is accomplished in the same way as with COTS, which may result in falling behind the current FOSS version. Additionally, when segments of FOSS code are used in the development of proprietary software the coders were responsible for code analysis to ensure it is free of vulnerabilities. The study's findings will help organizations in understanding how they can more securely implement and maintain FOSS products.