From the ‘Is it FUD?‘ files:
I’m always suspicious when I see press releases and studies that claim that somehow open source software is less secure than other forms of software. That’s why I was particularly suspicious of a new study out today sponsored by Apache Maven sponsor Sonatype, claiming that there is widespread use of insecure open source components.
According to the study:
There were more than 46 million downloads of insecure versions of the 31 most popular open-source security libraries and web frameworks. Google Web Toolkit (GWT) was downloaded 17.7 million times with known vulnerabilities. Other popular vulnerable libraries downloaded included Xerces, Spring MVC, and Struts 1.x.
Yeaah, I know I just shook my head too. Reality of course is that any open source release can have vulnerabilities in a legacy version. The ‘magic’ is that many (if not most) open source projects patch rapidly. That’s ultimately why open source is more secure.
Sonatype knows this too and the report notes that:
Community scrutiny drives flaw discovery: Open-source security libraries are roughly 20 percent more likely to have reported security vulnerabilities than other types of components.
So where is the gap? According to them it’s an update issue.
In my experience, using a Linux server/desktop when my upstream distro has an update for a component the update system (yum/apt etc..) gets the update. There isn’t much of a problem. The Linux repository system ensures that if you subscribe to a repo and that repo is updated, then you’ve got the latest stuff.
It’s not clear to me whether or not the Sonatype study is just looking at Windows boxen and/or if the issue applies in their estimation to Linux too (so hey if you work for Sonatype – pls respond to me and lemme know).
No question there are vulnerable open source components, but no question they get updated by their upstream projects as fast (if not faster) than any other form of software. The only question that need to be answered is – are you up to date?