Follow Slashdot stories on Twitter


Forgot your password?
Open Source

Submission + - Are Open Source Libraries Any More Vulnerable Than Closed Source? (

colinneagle writes: My friend and Network World editor, Ellen Messmer posted an article yesterday about the results of an analysis by Aspect Security of the Central Repository maintained by Sonatype. The study was announced by Aspect and Sonatype yesterday. Both the study and Ellen's article have set off a bit of a firestorm in both the open source and security communities about the security or lack thereof of open source libraries and components.

As noted in Ellen's article some of the biggest libraries that are used and have known vulnerabilities are Google Web Toolkit (GWT); Apache Xerces; Spring MVC; and Struts 1.x.

The buzz with the release of the study and Ellen's article is calling into question whether open source is any more or less secure than closed source code. Another issue is whether or not open source companies and authors are vigilant in closing holes and insecurities in their code. I spoke with Wayne Jackson, CEO of Sonatype, the company that maintains the Central Repository which was the subject of this study. I know Jackson from his days as CEO of Sourcefire. Wayne is a long time supporter and believer in open source.

Wayne told me that people looking at this study and using it to say that open source is less secure than closed source are mistaken. There are vulnerabilities in just about all code and libraries. The fact that this study saw so much use of vulnerable libraries is more about the popularity and wide spread usage of open source than whether it is more or less secure. To Jackson, that is the real finding of this study. Look how many applications and enterprises use open source libraries and components. It is pretty ubiquitous.

Slashdot Top Deals

Too many people are thinking of security instead of opportunity. They seem more afraid of life than death. -- James F. Byrnes