Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Open Source

Submission + - Are Open Source Libraries Any More Vulnerable Than Closed Source? (networkworld.com)

colinneagle writes: My friend and Network World editor, Ellen Messmer posted an article yesterday about the results of an analysis by Aspect Security of the Central Repository maintained by Sonatype. The study was announced by Aspect and Sonatype yesterday. Both the study and Ellen's article have set off a bit of a firestorm in both the open source and security communities about the security or lack thereof of open source libraries and components.

As noted in Ellen's article some of the biggest libraries that are used and have known vulnerabilities are Google Web Toolkit (GWT); Apache Xerces; Spring MVC; and Struts 1.x.

The buzz with the release of the study and Ellen's article is calling into question whether open source is any more or less secure than closed source code. Another issue is whether or not open source companies and authors are vigilant in closing holes and insecurities in their code. I spoke with Wayne Jackson, CEO of Sonatype, the company that maintains the Central Repository which was the subject of this study. I know Jackson from his days as CEO of Sourcefire. Wayne is a long time supporter and believer in open source.

Wayne told me that people looking at this study and using it to say that open source is less secure than closed source are mistaken. There are vulnerabilities in just about all code and libraries. The fact that this study saw so much use of vulnerable libraries is more about the popularity and wide spread usage of open source than whether it is more or less secure. To Jackson, that is the real finding of this study. Look how many applications and enterprises use open source libraries and components. It is pretty ubiquitous.

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Are Open Source Libraries Any More Vulnerable Than Closed Source?

Comments Filter:

The number of computer scientists in a room is inversely proportional to the number of bugs in their code.