Open Source Changes Fast. Can You Keep Up?

October 04, 2011 By Tim OBrien

2 minute read time

Bouncy Castle. Do those words mean anything to you? If you are a Java developer, you might know that Bouncy Castle is an encryption library often used to generate secure hash codes and encrypt data. In other words, it is a silly project name for a serious purpose. Do you any know that old, released versions of Bouncy Castle have known security vulnerabilities? I’m not writing this to cast a shadow of doubt on the project. Bouncy Castle is an awesome open source library, as is the Spring framework, Commons HttpClient, Tomcat, and Jetty. What Bouncy Castle has in common with all of these other open source components is that old versions of each project have known security vulnerabilities.

There’s a good chance that you might not be focused on this problem. You might not be constantly evaluating your project’s dependencies to analyze the risks.

I’ve been developing enterprise software for years, and it just isn’t something most companies worry too much about. While a company might spend a great deal of money on systems and personnel to keep operating systems patched and networks secured, that same company is likely using an older version of Commons HttpClient 3.1 that presents a denial of service (DoS) vulnerability. In other words, we appreciate the vulnerability of machines and operating systems while simultaneously ignore the security characteristics of the software that runs on these platforms.

As open source becomes more important to the modern enterprise this exposure will only increase. The critical question to ask yourself given the increasing rate of change in open source is “can you keep up?”.

It just so happens that we recently launched Sonatype Insight to help with this very issue. Watch this short video to see how Sonatype Insight. can help you keep up.

Learn more about Sonatype Insight.

Tags: Sonatype Says, security, Open Source, java, AppSec Spotlight

Written by Tim OBrien

Tim is a Software Architect with experience in all aspects of software development from project inception to developing scaleable production architectures for large-scale systems during critical, high-risk events such as Black Friday. He has helped many organizations ranging from small startups to Fortune 100 companies take a more strategic approach to adopting and evaluating technology and managing the risks associated with change.