The most popular and comprehensive Open Source ECM platform
Open Source has great benefits, as we reported a couple of weeks back on the results of Black Duck’s Open Source survey. Benefits like stability, quality, flexibility, no vendor lockin, and speed of development were frequently cited as reasons why upwards of 67 percent of companies are using open source.
But a companion study by Black Duck was also recently published that found that open source vulnerabilities can be a problem, especially when combined into much larger projects. The study looked at commercial software and estimated that most commercial software contain at least 100 different elements that originate from open source. About 35 percent of all commercial software are open source components.
While on the one hand open source helps speed development, it is also to forget about those elements of software once they have been integrated as a component of a larger software package. If the software continues to function correctly open source components are seldom tracked and reviewed again. The result is that even when open source projects update their software to make improvements and fix vulnerabilities, those fixes often don’t make it back into the larger software packages that are using them.
67 percent of the more than 200 commercial applications examined by Black Duck were found to have vulnerabilities in open source software components. Many of the vulnerabilities that were detected had been reported often many years earlier.
Fraser Kyne, regional SE director at Bromium, told SCMagazineUK.com that “developers are busy and fallible. Users are busy and gullible. These basic truths are never going to change. Identifying vulnerabilities and fixing them one by one is the proverbial ‘whack-a-mole’ security plan.”
Paul Vixie, CEO at Farsight Security Inc., told SearchSecurity, that “technology providers win or lose based on time to market, feature level and price. Security is sometimes thought about afterward, and field upgrades and patches are usually not thought about at all. I think it’s reasonable to assume that most bugs will live forever, somewhere.”