Access and Feeds

Security and Open Source: Open Source Components Save Time but Need to be Closely Monitored

By Dick Weisinger

Is Open Source code vulnerable?  Open Source code is very widely used.  Typically software code bases consist of anywhere from 75 percent to 90 percent of open source.  The problem is that those dependencies are usually black boxes that developers have not had the time to carefully inspect.  Developers typically forget about which open source utilities they’ve used and move on to their next task or project.  They also seldom have the time to monitor updates of the open source components that they’re using in their projects.  That’s particularly troubling when missed updates contain security fixes, and without those fixes, businesses  unwittingly become exposed to vulnerabilities.

Chris Wysopal, CTO of Veracode, said that “the universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit.”.

Wysopal said “development teams aren’t going to stop using components – nor should they. But when an exploit becomes available, time is of the essence. Open source and third party components aren’t necessarily less secure than code you develop in-house, but keeping an up-to-date inventory of what versions of a component you are using. We’ve now seen quite a few breaches as a result of vulnerable components and unless companies start taking this threat more seriously, and using tools to monitor component usage, I predict the problem will intensify.”

GitHub, for example, recently scanned about one half million open source repositories that they host and uncovered more than four million vulnerabilities!  The repository owners were notified, and within the next two months, 450,000 of those vulnerabilities were resolved. GitHub is now scanning all new repository updates to check for security problems and update their owners if any problems are found.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)
0 comments on “Security and Open Source: Open Source Components Save Time but Need to be Closely Monitored
1 Pings/Trackbacks for "Security and Open Source: Open Source Components Save Time but Need to be Closely Monitored"

Leave a Reply

Your email address will not be published. Required fields are marked *

*

17 − 16 =