Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Open-Source Software Brings Bugs To Web Applications
Newest First  |  Oldest First  |  Threaded View
RonR595
50%
50%
RonR595,
User Rank: Strategist
10/28/2014 | 11:30:40 AM
Re: Security is a Mindset, Not a License
Christian, there are actually studies that verified your gut feeling, and have shown that the number of bugs and security vulnerabilities are substantially the same in FOSS and proprietary code.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
10/25/2014 | 3:26:36 AM
Security is a Mindset, Not a License
I've been buried in Free and Open Source Software (FOSS) since the 1990s.  My day job typically was full of proprietary, heavily licensed and dongled software.  In getting to know FOSS project members, and rubbing shoulders with commercial software programmers, I quickly learned that security, secure coding, and just an overall sense of keeping the end user's data safe from prying eyes had nothing to do with the license on the code, but mostly the mentality of the coder and/or project manager behind the code.  Trend out 1,000 proprietary apps and 1,000 FOSS apps and I think the story on vulnerabilities and exploits will level out between the two.  The Center for Internet Security and OWASP are excellent resources for the casual software project team member to become familiar with and take a cue from.  While everyone else is arguing over whether FOSS or locked down apps are more secure, you can start coding securely from the ground up and demonstrate a little more respect for your end users than the next app, whatever its license may be.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
10/23/2014 | 6:50:57 PM
Re: open source funding
Agreed. The legal status of code doesn't reflect the quality of the code.
AnonymousMan
100%
0%
AnonymousMan,
User Rank: Moderator
10/23/2014 | 12:55:43 PM
Re: Undermines an open source article of faith
fair enough, I personally don't agree that open source is more or less secure either. The same technical complexities exist and same flawed humans are writing the code either way. But, it's also worth pointing out that product abandonment is bigger problem for closed source IMHO. Companies abandon products in favor of some shiny new object all the time. At least with open source, you have the option of fixing a vulnerability yourself (e.g. struts framework vulnerabilities).
RonR595
100%
0%
RonR595,
User Rank: Strategist
10/23/2014 | 11:39:14 AM
Different viewpoint: managing security of open source is actually EASIER than your own code
 

 Let me start with a disclaimer: I am co-founder and chairman of WhiteSource.

 First, I think everyone would agree that open source is the single most important catalyst to software development these days. With open source, product developers can focus on their own contributoin, and can use good and well tested open source for all the rest.

 Second, all the evidence is that open source code is of same quality as tested commercial code. (there are numbers to support that). That means it has bugs and it has security vulnerabilities, but no more nor less than commercial code. Within a given product, NEW code is most likely more buggy and more vulnerable (on average) than the open source components in same product.

 Third, in most cases, open source communities are extremely fast in fixing bugs and especially security vulnerabilities. In fact, a lot faster than most commercial vendors.

 So if you are an R&D executive in a software development company, you shall pay a lot more attention to the code that your developers produce, and then to third party components. With regard to open source components, you should simply follow the CVEs to know if any of the components you use is affected by a known vulnerability, and then follow and update/patch with the new version that fixes the issues, which will likely be available a lot faster than you can imagine.

 Having said that, open source code shall be managed (and not just for security), just like you do for your own code or third party. At WhiteSource we try to make such management effortless and easy to use by anyone.

 Hope that helps to reduce some of the hype and negative press that open source has received recently. If you think of it, you will also reach the conclusion that its quite the other way around.

 
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
10/23/2014 | 11:20:23 AM
Undermines an open source article of faith
Open source is supposed to be more secure because there are more eyes on it, scrutinizing it for flaws. What this really points out is that this proposition can't be taken as an article of faith. Very broadly implemented open source software, backed by an active community of developers, may in fact be rock solid -- provided that it's patched and updated whenever security bugs are detected. But if an open source library gets embedded in a product and forgotten about, if the open source community behind it loses interest or gets distracted by some shiny, new object, it can easily drift away from that ideal.

Buyer beware! Even when what you're "buying" is free and open.
Jimmy.N
50%
50%
Jimmy.N,
User Rank: Apprentice
10/23/2014 | 9:23:17 AM
Re: open source funding

This is an incredibly screwed perspective. All code will have bugs, vulnerabilities and issues. This difference is that open-source is   . . . . OPEN SOURCE, and open to everyone. The point is you have 10's of thousands of people around the world looking at the code and finding ways to improve it. With this comes the ability to also utilize it's weaknesses for nefarious purposes. Closed source will still have bad things in it, but just harder to find and sometimes patched before anyone knows about it. Is that better than knowing? Maybe if you feel ignorance is bliss, but as a Security Analyst, I just don't drink that kool-aid.

AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
10/23/2014 | 9:05:51 AM
Re: Pending Review
This really isn't about open source IMHO; it's about using 3rd party components.  What veracode didn't tell us is what those vulnerabilities were.  Was it outdated libraries or vulnerabilities in current versions? Both are a problem IME, but they mean different things to decision makers. Also, suggesting that using a 3rd party library or component increases risk probably isn't true on the whole if the alternative is to roll your own code. 
bpaddock0
100%
0%
bpaddock0,
User Rank: Apprentice
10/23/2014 | 8:17:38 AM
Proposing Secruity by obscurity as the solution?
"If everybody can see the code, then if a motivated attacker wants to come and find you [via that code], they have the ability and intelligence to find ways to exploit that easier than if it's closed code."

They are proposing security by obscurity as the solution?  The Bad Guys/Gals can't see the source code for what is not open-source so it is more secure?  Not likely.

I do understand their point that if you can see the open-source source code then it is certainly easier to look for ways to exploit problems.



Methods for Secure Coding are known, and have been known for years.

Yet few organizations commercial or not take the time to learn and use them.

 
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
10/22/2014 | 6:27:44 PM
open source funding
maybe it's time for a "tragedy of the commons" fund to secure important open source projects.


Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.