Don’t blame security breaches on open source technology – the problem is lack of oversight
Published: March 17, 2013 03:41
A hacker attack recently shut down the ad service OnRamp completely. In an official statement posted on its forums a few weeks ago, OpenX, the parent company of OnRamp, questioned the security of open source technology.
Let me be clear about this: This isn’t an open source issue, and we shouldn’t level blame on open source users and producers (Full disclosure: my company Sonatype is an open source software development firm). Economic and production efficiencies of open source have made it an almost compulsory component of any modern software application. We’ve all reaped tremendous benefits from open source – we develop fast, re-use proven components, and can focus more time on the functionality that’s truly valuable to our employers.
It’s not just that open source is good – it’s necessary. That’s why more than 70,000 organizations made nearly 8 billion requests for open source components from the Central Repository last year for use in all the major categories of applications, including the web, cloud, mobile and critical infrastructure.
The hard truth is that today more than 80 percent of a typical software application is assembled from existing components – and the vast majority of those are open source, coming from dozens, if not hundreds, of individual projects. All industry verticals, both regulated and unregulated, are using tremendous amounts of open source components in both internal and consumer-facing applications.