Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Growing Open Source Use Heightens Enterprise Security Risks
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
lythic
50%
50%
lythic,
User Rank: Apprentice
5/28/2015 | 11:53:13 AM
Re: Frankenstein
Sure, but on an active project gaping security holes will actually get fixed, which is not what we see happening at Microsoft, Sony and many others who refuse to patch things until it becomes a PR issue. When windows had a bug, the rest of us are helpless to do anything about it. When open source had a bug, you fix it and release your patch. Done. Even if your patch isn't included in the new version, you can still use your patch and make it available for others.
lythic
50%
50%
lythic,
User Rank: Apprentice
5/28/2015 | 11:45:25 AM
Re: Open source and security
Open source means that anyone can do the testing, anyone can review the code. If there's not a large and dedicated community with sufficient expertise backing the project, then you can vet, fix, modify and test it yourself.
lythic
50%
50%
lythic,
User Rank: Apprentice
5/28/2015 | 11:42:39 AM
Re: Frankenstein
Actually there are several, Google and Facebook's bug bounty programs include open source projects and then there's several independent ones such as bug bounty. Open source tools are the backbone of the internet. Apache projects, for example, are used and supported by almost every major tech company. This means most will test the tool internally before release and many have people on staff who are dedicated to that project. Patches can be reviewed by anyone and there are active discussion forums on bugs and feature requests. Apache projects are often of higher quality than commercial solutions because they are products of collaboration between several of the top tech companies. Apache Hadoop for example, was developed at yahoo, is now supported by two support companies - Hortonworks and Cloudera, and has contributiors from Intel, Facebook, Twitter, VMWare, Microsoft and LinkedIn. The patch behind heartbleed however, was written by one guy who had one person review it. Having open source is only a benefit if people actually read it.
Jon M. Kelley
50%
50%
Jon M. Kelley,
User Rank: Moderator
1/27/2015 | 9:32:19 AM
In House Developed SW gets no eyes!
I keep seeing discussions about commercial versus open source software, but the bigger hole in delivered special purpose software is the stuff added "in house".  Once delivered, this software typically gets "no eyes" and no patches until it is proven to be successfully attacked or unusable.  Some very large corporations have a habit of assembling a product for in house use, then once accepted by the end user's management, the developers are dispersed to other tasks, and there is no maintenance planned. 

 Too often specialized software developed for government ends the same way:  no follow on after delivery.  The developers were paid to build the product, and the contract ended.  With no plans for paid maintenance, the product gets used until it does something poorly enough to inconvenience upper management.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2015 | 9:42:13 PM
Re: WhiteSource proves that open source is safe if used responsibly
re: "It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it."

One might think, but research does not support this proposition.  Rather, research demonstrates that the law of diminishing returns is at play when it comes to open-source security review: that there is a maximum number of meaningfully "useful" reviewers, typically between two and four.  See, e.g., Robert L. Glass, Facts and Fallacies of Software Engineering.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2015 | 9:36:44 PM
Re: Frankenstein
The other issue is that many of the big boys -- Microsoft, Google, etc. -- have bug bounty programs.  No such program exists for open source.

Maybe it doesn't need to (after all, Apple typically offers nothing or next to nothing), in terms of hard cash, but certainly some greater incentive would be of great help.  After all, most contributors to open source prefer to stick to features because features are often more interesting and fun.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:38:06 PM
Re: blast from the past
Agree. As I mentioned in my other post, there is no hard link between open source and security but there are advantages and disadvantages when it comes to using open source and dealing with security. If you use open source and you are no paying for support then you need to be very carefully getting all the patches in place on time, nobody else will do it for you, and this increase risk level in my view.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:31:57 PM
Re: Frankenstein
I agree with this too. At the same time we know hackers have advantage too when the see vulnerabilities in open source, it is easier to attack open source code base.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:29:52 PM
Re: WhiteSource proves that open source is safe if used responsibly
I would agree with them. It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/26/2015 | 4:26:26 PM
Open source and security
 

I would like to make a point that there is no an hard link between open source and security. Some open source systems are quite secure some are not. The same goes with the closed system, Windows is a closed system and that is where we see security issues more than other systems. 
Page 1 / 2   >   >>


News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...