Open Source’s Vulnerabilities…What Does it Have to Prove?
Jan 23rd, 2008 by Colin
A new study by an open source vendor caught my attention today for as much what it exposed about open source software as it proved. Palamida, which sells both products to conduct audits of open source software and offers audit services, released the results of a study they conducted on open source vulnerabilities. In the study, Palamida identified the five vulnerabilities most frequently overlooked by users in their open source code.
The big name open source vendors one might commonly expect to find were on the list, including JBoss and Geronimo, and also some not-so-big names, such as Zlib. Regardless of the vendors cited, what drew my attention to this report was the fact there even existed an open source, code auditing company. Call it negligence or lack of open source knowledge on my part, but I found the report, and Palamida, a great example of how the open source model is simply a better process to develop and perfect software. And as Palamida’s CEO points out, the results are in no way, shape, or form an indication of open sources’ vulnerabilities. Open source code isn’t “any more vulnerable than commercial software, and in many cases, less so.”
Follow us on Twitter
interesting…I think one of the important things to realize is a lot of those listed are “project-based” open source entities. Unlike SugarCRM, which is a centrally managed product by a core internal team (that an external open source community tests and QAs and builds extensions for), these truly “out there” OS products are far more vulnerable to code compilations that can have snippets of less than ironclad code.
I did some work with Black Duck while at the 451 – a similar code auditing firm to Palamida but with a different approach – and their CEO Doug Levin always had some funny and sometimes startling stories about major organizations being shocked at the amount of open source and otherwise non-kosher code in their IT stacks…
Thanks so much for the mention of both our organization and our report. Palamida was founded in 2004 to address intellectual property issues associated with open source code primarily related to mergers and acquistions. Open source has always had a large influence on corporate valuations. As the market evolved, and enterprise companies started to “get it” in relation to the usefulness and promise of open source, our business model also evolved. License and version detection were a natural progression for us and with the release of the GPLv3, we released our gpl3 tracking site that tracked who was, and was not, adopting (projects and companies) the new license. It proved to be one of the most successful sites in the OSS community in 2007. In mid 2007 we moved toward open source vulnerability detection, which again, is a product of the evolution and seriousness of the market. While your reader comments on project-based vulnerabilities, we only listed our Top 5, believe me, there were many, many others that are all the usual suspects but that wasn’t the point of the report. As you note, our CEO makes clear that it isn’t about pointing the finger, it’s about telling companies to wake up and understand what they’re using. If you have an unpatched version of anything in your code base, whose fault is that? We can only facilitate better process and practice, but we can’t fix a mindset. It’s important for development communities to proactively monitor their use of OSS and which versions they employ. Just because it’s out in the wild doesn’t mean it’s safe. Open source communities are top-notch when it comes to repairing their errors, it’s just that organizations need to know the fix is out there. Palamida was founded by developers for developers, while the aim of some others in the market has been toward the legal team. We hope that the sites, reports, and info we provide will continue to be of value to the OSS community.
–Melisa Bleasdale, Palamida