Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Growing Open Source Use Heightens Enterprise Security Risks
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
lythic
lythic,
 User Rank: Apprentice
5/28/2015 | 11:53:13 AM
Re: Frankenstein
Sure, but on an active project gaping security holes will actually get fixed, which is not what we see happening at Microsoft, Sony and many others who refuse to patch things until it becomes a PR issue. When windows had a bug, the rest of us are helpless to do anything about it. When open source had a bug, you fix it and release your patch. Done. Even if your patch isn't included in the new version, you can still use your patch and make it available for others.
lythic
lythic,
 User Rank: Apprentice
5/28/2015 | 11:45:25 AM
Re: Open source and security
Open source means that anyone can do the testing, anyone can review the code. If there's not a large and dedicated community with sufficient expertise backing the project, then you can vet, fix, modify and test it yourself.
lythic
lythic,
 User Rank: Apprentice
5/28/2015 | 11:42:39 AM
Re: Frankenstein
Actually there are several, Google and Facebook's bug bounty programs include open source projects and then there's several independent ones such as bug bounty. Open source tools are the backbone of the internet. Apache projects, for example, are used and supported by almost every major tech company. This means most will test the tool internally before release and many have people on staff who are dedicated to that project. Patches can be reviewed by anyone and there are active discussion forums on bugs and feature requests. Apache projects are often of higher quality than commercial solutions because they are products of collaboration between several of the top tech companies. Apache Hadoop for example, was developed at yahoo, is now supported by two support companies - Hortonworks and Cloudera, and has contributiors from Intel, Facebook, Twitter, VMWare, Microsoft and LinkedIn. The patch behind heartbleed however, was written by one guy who had one person review it. Having open source is only a benefit if people actually read it.
Jon M. Kelley
Jon M. Kelley,
 User Rank: Moderator
1/27/2015 | 9:32:19 AM
In House Developed SW gets no eyes!
I keep seeing discussions about commercial versus open source software, but the bigger hole in delivered special purpose software is the stuff added "in house".  Once delivered, this software typically gets "no eyes" and no patches until it is proven to be successfully attacked or unusable.  Some very large corporations have a habit of assembling a product for in house use, then once accepted by the end user's management, the developers are dispersed to other tasks, and there is no maintenance planned. 

 Too often specialized software developed for government ends the same way:  no follow on after delivery.  The developers were paid to build the product, and the contract ended.  With no plans for paid maintenance, the product gets used until it does something poorly enough to inconvenience upper management.  
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
1/26/2015 | 9:42:13 PM
Re: WhiteSource proves that open source is safe if used responsibly
re: "It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it."

One might think, but research does not support this proposition.  Rather, research demonstrates that the law of diminishing returns is at play when it comes to open-source security review: that there is a maximum number of meaningfully "useful" reviewers, typically between two and four.  See, e.g., Robert L. Glass, Facts and Fallacies of Software Engineering.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
1/26/2015 | 9:36:44 PM
Re: Frankenstein
The other issue is that many of the big boys -- Microsoft, Google, etc. -- have bug bounty programs.  No such program exists for open source.

Maybe it doesn't need to (after all, Apple typically offers nothing or next to nothing), in terms of hard cash, but certainly some greater incentive would be of great help.  After all, most contributors to open source prefer to stick to features because features are often more interesting and fun.
Dr.T
Dr.T,
 User Rank: Ninja
1/26/2015 | 4:38:06 PM
Re: blast from the past
Agree. As I mentioned in my other post, there is no hard link between open source and security but there are advantages and disadvantages when it comes to using open source and dealing with security. If you use open source and you are no paying for support then you need to be very carefully getting all the patches in place on time, nobody else will do it for you, and this increase risk level in my view.
Dr.T
Dr.T,
 User Rank: Ninja
1/26/2015 | 4:31:57 PM
Re: Frankenstein
I agree with this too. At the same time we know hackers have advantage too when the see vulnerabilities in open source, it is easier to attack open source code base.
Dr.T
Dr.T,
 User Rank: Ninja
1/26/2015 | 4:29:52 PM
Re: WhiteSource proves that open source is safe if used responsibly
I would agree with them. It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it.
Dr.T
Dr.T,
 User Rank: Ninja
1/26/2015 | 4:26:26 PM
Open source and security
 

I would like to make a point that there is no an hard link between open source and security. Some open source systems are quite secure some are not. The same goes with the closed system, Windows is a closed system and that is where we see security issues more than other systems. 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...