The Inherently Insecure Nature of Open Source Projects
Tech Security Today
Published: March 29, 2012 12:00
A huge percentage of the applications being built these days rely on previously existing components that developers stitch together to make a new application. In fact, the vast majority of these components are open source projects that developers assume to be secure given the peer review process that most open source projects are based on.
Unfortunately, a new report from Sonatype, a provider of project management software for open source application development projects, and Aspect Security, a provider of application security tools, finds otherwise. The report claims that Global 500 organizations downloaded more than 2.8 million insecure components in one year and that there have been more than 46 million downloads of insecure versions of the 31 most popular open source security libraries and web frameworks.
According to Sonatype CEO Wayne Jackson, open source developers are subject to same lax security practices that seem to affect developers everywhere. While the situation may be improving, the fact remains that the vast majority of the open source components being reused by companies of all sizes these days have lots of security vulnerabilities that are relatively easy to exploit.
The real problem, says Jackson, is the there is no comprehensive notification system that operates across the open source community to inform the organizations when vulnerabilities to open source code have been discovered or when updates that might remediate those issues have been published.
Jackson says it’s unlikely that this issue will push companies back into the arms of commercial software vendors. There’s just too much open source momentum being driven by the cost of commercial software and the amount of developer labor most companies can readily access.
The challenge, says Jackson, is putting a governance model in place that keeps track of what open source artifact is being used in what software project. At least then when vulnerabilities are discovered, the organization using that software has a fighting chance of discovering how much risk is tied to that vulnerability.
It’s unclear to what degree hackers are trolling open source projects looking for vulnerabilities to exploit. But as the tools hackers use to discover vulnerabilities becomes more sophisticated, it’s probably only a matter of time before they get really good at it.