Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Open-Source Software Brings Bugs To Web Applications
Newest First  |  Oldest First  |  Threaded View
RonR595
50%
50%
RonR595,
User Rank: Strategist
10/28/2014 | 11:30:40 AM
Re: Security is a Mindset, Not a License
Christian, there are actually studies that verified your gut feeling, and have shown that the number of bugs and security vulnerabilities are substantially the same in FOSS and proprietary code.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
10/25/2014 | 3:26:36 AM
Security is a Mindset, Not a License
I've been buried in Free and Open Source Software (FOSS) since the 1990s.  My day job typically was full of proprietary, heavily licensed and dongled software.  In getting to know FOSS project members, and rubbing shoulders with commercial software programmers, I quickly learned that security, secure coding, and just an overall sense of keeping the end user's data safe from prying eyes had nothing to do with the license on the code, but mostly the mentality of the coder and/or project manager behind the code.  Trend out 1,000 proprietary apps and 1,000 FOSS apps and I think the story on vulnerabilities and exploits will level out between the two.  The Center for Internet Security and OWASP are excellent resources for the casual software project team member to become familiar with and take a cue from.  While everyone else is arguing over whether FOSS or locked down apps are more secure, you can start coding securely from the ground up and demonstrate a little more respect for your end users than the next app, whatever its license may be.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
10/23/2014 | 6:50:57 PM
Re: open source funding
Agreed. The legal status of code doesn't reflect the quality of the code.
AnonymousMan
100%
0%
AnonymousMan,
User Rank: Moderator
10/23/2014 | 12:55:43 PM
Re: Undermines an open source article of faith
fair enough, I personally don't agree that open source is more or less secure either. The same technical complexities exist and same flawed humans are writing the code either way. But, it's also worth pointing out that product abandonment is bigger problem for closed source IMHO. Companies abandon products in favor of some shiny new object all the time. At least with open source, you have the option of fixing a vulnerability yourself (e.g. struts framework vulnerabilities).
RonR595
100%
0%
RonR595,
User Rank: Strategist
10/23/2014 | 11:39:14 AM
Different viewpoint: managing security of open source is actually EASIER than your own code
 

 Let me start with a disclaimer: I am co-founder and chairman of WhiteSource.

 First, I think everyone would agree that open source is the single most important catalyst to software development these days. With open source, product developers can focus on their own contributoin, and can use good and well tested open source for all the rest.

 Second, all the evidence is that open source code is of same quality as tested commercial code. (there are numbers to support that). That means it has bugs and it has security vulnerabilities, but no more nor less than commercial code. Within a given product, NEW code is most likely more buggy and more vulnerable (on average) than the open source components in same product.

 Third, in most cases, open source communities are extremely fast in fixing bugs and especially security vulnerabilities. In fact, a lot faster than most commercial vendors.

 So if you are an R&D executive in a software development company, you shall pay a lot more attention to the code that your developers produce, and then to third party components. With regard to open source components, you should simply follow the CVEs to know if any of the components you use is affected by a known vulnerability, and then follow and update/patch with the new version that fixes the issues, which will likely be available a lot faster than you can imagine.

 Having said that, open source code shall be managed (and not just for security), just like you do for your own code or third party. At WhiteSource we try to make such management effortless and easy to use by anyone.

 Hope that helps to reduce some of the hype and negative press that open source has received recently. If you think of it, you will also reach the conclusion that its quite the other way around.

 
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
10/23/2014 | 11:20:23 AM
Undermines an open source article of faith
Open source is supposed to be more secure because there are more eyes on it, scrutinizing it for flaws. What this really points out is that this proposition can't be taken as an article of faith. Very broadly implemented open source software, backed by an active community of developers, may in fact be rock solid -- provided that it's patched and updated whenever security bugs are detected. But if an open source library gets embedded in a product and forgotten about, if the open source community behind it loses interest or gets distracted by some shiny, new object, it can easily drift away from that ideal.

Buyer beware! Even when what you're "buying" is free and open.
Jimmy.N
50%
50%
Jimmy.N,
User Rank: Apprentice
10/23/2014 | 9:23:17 AM
Re: open source funding

This is an incredibly screwed perspective. All code will have bugs, vulnerabilities and issues. This difference is that open-source is   . . . . OPEN SOURCE, and open to everyone. The point is you have 10's of thousands of people around the world looking at the code and finding ways to improve it. With this comes the ability to also utilize it's weaknesses for nefarious purposes. Closed source will still have bad things in it, but just harder to find and sometimes patched before anyone knows about it. Is that better than knowing? Maybe if you feel ignorance is bliss, but as a Security Analyst, I just don't drink that kool-aid.

AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
10/23/2014 | 9:05:51 AM
Re: Pending Review
This really isn't about open source IMHO; it's about using 3rd party components.  What veracode didn't tell us is what those vulnerabilities were.  Was it outdated libraries or vulnerabilities in current versions? Both are a problem IME, but they mean different things to decision makers. Also, suggesting that using a 3rd party library or component increases risk probably isn't true on the whole if the alternative is to roll your own code. 
bpaddock0
100%
0%
bpaddock0,
User Rank: Apprentice
10/23/2014 | 8:17:38 AM
Proposing Secruity by obscurity as the solution?
"If everybody can see the code, then if a motivated attacker wants to come and find you [via that code], they have the ability and intelligence to find ways to exploit that easier than if it's closed code."

They are proposing security by obscurity as the solution?  The Bad Guys/Gals can't see the source code for what is not open-source so it is more secure?  Not likely.

I do understand their point that if you can see the open-source source code then it is certainly easier to look for ways to exploit problems.



Methods for Secure Coding are known, and have been known for years.

Yet few organizations commercial or not take the time to learn and use them.

 
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
10/22/2014 | 6:27:44 PM
open source funding
maybe it's time for a "tragedy of the commons" fund to secure important open source projects.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37436
PUBLISHED: 2021-07-24
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing pers...
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...