Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Open-Source Software Brings Bugs To Web Applications
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
10/28/2014 | 11:30:40 AM
Re: Security is a Mindset, Not a License
Christian, there are actually studies that verified your gut feeling, and have shown that the number of bugs and security vulnerabilities are substantially the same in FOSS and proprietary code.
User Rank: Ninja
10/25/2014 | 3:26:36 AM
Security is a Mindset, Not a License
I've been buried in Free and Open Source Software (FOSS) since the 1990s.  My day job typically was full of proprietary, heavily licensed and dongled software.  In getting to know FOSS project members, and rubbing shoulders with commercial software programmers, I quickly learned that security, secure coding, and just an overall sense of keeping the end user's data safe from prying eyes had nothing to do with the license on the code, but mostly the mentality of the coder and/or project manager behind the code.  Trend out 1,000 proprietary apps and 1,000 FOSS apps and I think the story on vulnerabilities and exploits will level out between the two.  The Center for Internet Security and OWASP are excellent resources for the casual software project team member to become familiar with and take a cue from.  While everyone else is arguing over whether FOSS or locked down apps are more secure, you can start coding securely from the ground up and demonstrate a little more respect for your end users than the next app, whatever its license may be.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
10/23/2014 | 6:50:57 PM
Re: open source funding
Agreed. The legal status of code doesn't reflect the quality of the code.
User Rank: Moderator
10/23/2014 | 12:55:43 PM
Re: Undermines an open source article of faith
fair enough, I personally don't agree that open source is more or less secure either. The same technical complexities exist and same flawed humans are writing the code either way. But, it's also worth pointing out that product abandonment is bigger problem for closed source IMHO. Companies abandon products in favor of some shiny new object all the time. At least with open source, you have the option of fixing a vulnerability yourself (e.g. struts framework vulnerabilities).
User Rank: Strategist
10/23/2014 | 11:39:14 AM
Different viewpoint: managing security of open source is actually EASIER than your own code

 Let me start with a disclaimer: I am co-founder and chairman of WhiteSource.

 First, I think everyone would agree that open source is the single most important catalyst to software development these days. With open source, product developers can focus on their own contributoin, and can use good and well tested open source for all the rest.

 Second, all the evidence is that open source code is of same quality as tested commercial code. (there are numbers to support that). That means it has bugs and it has security vulnerabilities, but no more nor less than commercial code. Within a given product, NEW code is most likely more buggy and more vulnerable (on average) than the open source components in same product.

 Third, in most cases, open source communities are extremely fast in fixing bugs and especially security vulnerabilities. In fact, a lot faster than most commercial vendors.

 So if you are an R&D executive in a software development company, you shall pay a lot more attention to the code that your developers produce, and then to third party components. With regard to open source components, you should simply follow the CVEs to know if any of the components you use is affected by a known vulnerability, and then follow and update/patch with the new version that fixes the issues, which will likely be available a lot faster than you can imagine.

 Having said that, open source code shall be managed (and not just for security), just like you do for your own code or third party. At WhiteSource we try to make such management effortless and easy to use by anyone.

 Hope that helps to reduce some of the hype and negative press that open source has received recently. If you think of it, you will also reach the conclusion that its quite the other way around.

David F. Carr
David F. Carr,
User Rank: Strategist
10/23/2014 | 11:20:23 AM
Undermines an open source article of faith
Open source is supposed to be more secure because there are more eyes on it, scrutinizing it for flaws. What this really points out is that this proposition can't be taken as an article of faith. Very broadly implemented open source software, backed by an active community of developers, may in fact be rock solid -- provided that it's patched and updated whenever security bugs are detected. But if an open source library gets embedded in a product and forgotten about, if the open source community behind it loses interest or gets distracted by some shiny, new object, it can easily drift away from that ideal.

Buyer beware! Even when what you're "buying" is free and open.
User Rank: Apprentice
10/23/2014 | 9:23:17 AM
Re: open source funding

This is an incredibly screwed perspective. All code will have bugs, vulnerabilities and issues. This difference is that open-source is   . . . . OPEN SOURCE, and open to everyone. The point is you have 10's of thousands of people around the world looking at the code and finding ways to improve it. With this comes the ability to also utilize it's weaknesses for nefarious purposes. Closed source will still have bad things in it, but just harder to find and sometimes patched before anyone knows about it. Is that better than knowing? Maybe if you feel ignorance is bliss, but as a Security Analyst, I just don't drink that kool-aid.

User Rank: Moderator
10/23/2014 | 9:05:51 AM
Re: Pending Review
This really isn't about open source IMHO; it's about using 3rd party components.  What veracode didn't tell us is what those vulnerabilities were.  Was it outdated libraries or vulnerabilities in current versions? Both are a problem IME, but they mean different things to decision makers. Also, suggesting that using a 3rd party library or component increases risk probably isn't true on the whole if the alternative is to roll your own code. 
User Rank: Apprentice
10/23/2014 | 8:17:38 AM
Proposing Secruity by obscurity as the solution?
"If everybody can see the code, then if a motivated attacker wants to come and find you [via that code], they have the ability and intelligence to find ways to exploit that easier than if it's closed code."

They are proposing security by obscurity as the solution?  The Bad Guys/Gals can't see the source code for what is not open-source so it is more secure?  Not likely.

I do understand their point that if you can see the open-source source code then it is certainly easier to look for ways to exploit problems.

Methods for Secure Coding are known, and have been known for years.

Yet few organizations commercial or not take the time to learn and use them.

Thomas Claburn
Thomas Claburn,
User Rank: Ninja
10/22/2014 | 6:27:44 PM
open source funding
maybe it's time for a "tragedy of the commons" fund to secure important open source projects.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-09-26
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.4.8.
PUBLISHED: 2022-09-26
Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_expense.php.
PUBLISHED: 2022-09-26
Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_expense_category.php.
PUBLISHED: 2022-09-26
Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_currency.php.
PUBLISHED: 2022-09-26
ZFile v4.1.1 was discovered to contain an arbitrary file upload vulnerability via the component /file/upload/1.