Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Growing Open Source Use Heightens Enterprise Security Risks
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
lythic
lythic,
 User Rank: Apprentice
5/28/2015 | 11:53:13 AM
Re: Frankenstein
Sure, but on an active project gaping security holes will actually get fixed, which is not what we see happening at Microsoft, Sony and many others who refuse to patch things until it becomes a PR issue. When windows had a bug, the rest of us are helpless to do anything about it. When open source had a bug, you fix it and release your patch. Done. Even if your patch isn't included in the new version, you can still use your patch and make it available for others.
lythic
lythic,
 User Rank: Apprentice
5/28/2015 | 11:45:25 AM
Re: Open source and security
Open source means that anyone can do the testing, anyone can review the code. If there's not a large and dedicated community with sufficient expertise backing the project, then you can vet, fix, modify and test it yourself.
lythic
lythic,
 User Rank: Apprentice
5/28/2015 | 11:42:39 AM
Re: Frankenstein
Actually there are several, Google and Facebook's bug bounty programs include open source projects and then there's several independent ones such as bug bounty. Open source tools are the backbone of the internet. Apache projects, for example, are used and supported by almost every major tech company. This means most will test the tool internally before release and many have people on staff who are dedicated to that project. Patches can be reviewed by anyone and there are active discussion forums on bugs and feature requests. Apache projects are often of higher quality than commercial solutions because they are products of collaboration between several of the top tech companies. Apache Hadoop for example, was developed at yahoo, is now supported by two support companies - Hortonworks and Cloudera, and has contributiors from Intel, Facebook, Twitter, VMWare, Microsoft and LinkedIn. The patch behind heartbleed however, was written by one guy who had one person review it. Having open source is only a benefit if people actually read it.
Jon M. Kelley
Jon M. Kelley,
 User Rank: Moderator
1/27/2015 | 9:32:19 AM
In House Developed SW gets no eyes!
I keep seeing discussions about commercial versus open source software, but the bigger hole in delivered special purpose software is the stuff added "in house".  Once delivered, this software typically gets "no eyes" and no patches until it is proven to be successfully attacked or unusable.  Some very large corporations have a habit of assembling a product for in house use, then once accepted by the end user's management, the developers are dispersed to other tasks, and there is no maintenance planned. 

 Too often specialized software developed for government ends the same way:  no follow on after delivery.  The developers were paid to build the product, and the contract ended.  With no plans for paid maintenance, the product gets used until it does something poorly enough to inconvenience upper management.  
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
1/26/2015 | 9:42:13 PM
Re: WhiteSource proves that open source is safe if used responsibly
re: "It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it."

One might think, but research does not support this proposition.  Rather, research demonstrates that the law of diminishing returns is at play when it comes to open-source security review: that there is a maximum number of meaningfully "useful" reviewers, typically between two and four.  See, e.g., Robert L. Glass, Facts and Fallacies of Software Engineering.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
1/26/2015 | 9:36:44 PM
Re: Frankenstein
The other issue is that many of the big boys -- Microsoft, Google, etc. -- have bug bounty programs.  No such program exists for open source.

Maybe it doesn't need to (after all, Apple typically offers nothing or next to nothing), in terms of hard cash, but certainly some greater incentive would be of great help.  After all, most contributors to open source prefer to stick to features because features are often more interesting and fun.
Dr.T
Dr.T,
 User Rank: Ninja
1/26/2015 | 4:38:06 PM
Re: blast from the past
Agree. As I mentioned in my other post, there is no hard link between open source and security but there are advantages and disadvantages when it comes to using open source and dealing with security. If you use open source and you are no paying for support then you need to be very carefully getting all the patches in place on time, nobody else will do it for you, and this increase risk level in my view.
Dr.T
Dr.T,
 User Rank: Ninja
1/26/2015 | 4:31:57 PM
Re: Frankenstein
I agree with this too. At the same time we know hackers have advantage too when the see vulnerabilities in open source, it is easier to attack open source code base.
Dr.T
Dr.T,
 User Rank: Ninja
1/26/2015 | 4:29:52 PM
Re: WhiteSource proves that open source is safe if used responsibly
I would agree with them. It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it.
Dr.T
Dr.T,
 User Rank: Ninja
1/26/2015 | 4:26:26 PM
Open source and security
 

I would like to make a point that there is no an hard link between open source and security. Some open source systems are quite secure some are not. The same goes with the closed system, Windows is a closed system and that is where we see security issues more than other systems. 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file