To “Open Source” or “Not to Open Source”

Friday, July 27, 2012

Andrew Sanicola

812d096e189ecbac061ebfe343f91e1e

Article by Hiren Shah

In the IT World, the strategy “To Open Source or Not to Open Source” is a perennial debate.

While traveling last year, I came across many large Global Financial Institutions who are adopting Open Source as a strategy to implement all future solutions.

Adoption of Open Source technology is a good strategy, especially in the complex licensing regimes practiced by many large software vendors.

While security is an issue that bears upon the decision to go for it, not many fully understand how to take care of them when operationalizing the “Open Source Stack” strategy.

In recent times we have been called into test many applications, which are based on open source applications or a complete stack. Testing these applications have provided us some valuable insights to be considered while going the Open Source way.

Before I discuss this, let me highlight that very rarely is an open source product used as-is. In most instances, the product undergoes heavy customization, including installation of many extensions. In light of this, our tests revealed two very important insights.

One, that many open source products have add-ons, extensions, plug-ins etc. which make them attractive in many ways. While the core application itself is mostly secure, it is these extensions and plug-ins contributed by many diverse developers and organizations that introduce vulnerabilities into the open source product as a whole.

The graph below shows the number of vulnerabilities introduced in Joomla, a very popular open source CMS, between 2005 and 2011.

(click image to enlarge)

Open source vulnerabilities

While the graph may shock you, it is actually not surprising since Joomla has more than 1700 extensions and add-on modules. While many of them may be fixed, what we recommend is to only select those that do not have any known vulnerabilities.

Two, all our tests have revealed that the customizations done during the implementation have always introduced new vulnerabilities. So expecting that there will be less number of vulnerabilities simply because there is limited coding due to customizations is a fallacy.

Conclusion: Conducting a thorough Vulnerability Assessment and Source Code Review is even more vital when implementing open source products to cover your bases against any vulnerability introduced or already present but unknown.

But this should not deter you from taking a strategic call on adoption of open source technologies.

With the right security partner, you should be able to get the strategic advantages of Open Source, whether that be cost savings or risk mitigation! Until next time, stay safe!

Follow Hiren’s views on Twitter @hiren_sh or on his blog.

Cross posted from Port80 Software

Possibly Related Articles:
8832
Webappsec->General
Software
Code Review Software Open Source Application Security Vulnerabilities Vulnerability Assessments Secure Coding vendors
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.