About Sonatype

Sonatype in the News

Security of open-source software again being scrutinized

Published: March 13, 2013 04:45


A recent round of flaws discovered in open-source software has reignited concerns that  security is getting bypassed in the rush to continue expanding the large and extremely popular code base used by millions.

For instance, although the Java-based Spring Framework was criticized by security researchers in January as having a major flaw that allowed remote-code execution by attackers against applications built with it, the updates to Spring this week don't address this security problem.

"Unfortunately, this is the way a lot of  open source vulnerabilities go," said Jeff Williams, CEO at Aspect Security, which pointed out two months ago that the "expression-language" feature in Spring should be disabled until the issue related to potential remote code execution is remediated. But the  updates to Spring out this week don't address this problem, though they do expand Spring functionality. Spring Framework is managed under SpringSource, a division of VMware.

Network World

Network World

Security of open-source software again being scrutinized