Filed under: Web and Application Security
Tags: Hiren Shah, information security, infosec, Net-Square Solutions, open source security, Port80 Software, web security
In the IT World, the strategy “To Open Source or Not to Open Source” is a perennial debate. While traveling last year, I came across many large Global Financial Institutions who are adopting Open Source as a strategy to implement all future solutions. Adoption of Open Source technology is a good strategy, especially in the complex licensing regimes practiced by many large software vendors. While security is an issue that bears upon the decision to go for it, not many fully understand how to take care of them when operationalizing the “Open Source Stack” strategy.
In recent times we have been called into test many applications, which are based on open source applications or a complete stack. Testing these applications have provided us some valuable insights to be considered while going the Open Source way.Before I discuss this, let me highlight that very rarely is an open source product used as-is. In most instances, the product undergoes heavy customization, including installation of many extensions. In light of this, our tests revealed two very important insights.
One, that many open source products have add-ons, extensions, plug-ins etc. which make them attractive in many ways. While the core application itself is mostly secure, it is these extensions and plug-ins contributed by many diverse developers and organizations that introduce vulnerabilities into the open source product as a whole. The graph below shows the number of vulnerabilities introduced in Joomla, a very popular open source CMS, between 2005 and 2011.
While the graph may shock you, it is actually not surprising since Joomla has more than 1700 extensions and add-on modules. While many of them may be fixed, what we recommend is to only select those that do not have any known vulnerabilities.
Two, all our tests have revealed that the customizations done during the implementation have always introduced new vulnerabilities. So expecting that there will be less number of vulnerabilities simply because there is limited coding due to customizations is a fallacy.
Conclusion: Conducting a thorough Vulnerability Assessment and Source Code Review is even more vital when implementing open source products to cover your bases against any vulnerability introduced or already present but unknown. But this should not deter you from taking a strategic call on adoption of open source technologies. With the right security partner, you should be able to get the strategic advantages of Open Source, whether that be cost savings or risk mitigation! Until next time, stay safe!
-Hiren Shah, Net-Square SolutionsNo Comments »