Wheeler: Insecure open source software libraries?
Posted Apr 6, 2012 20:36 UTC (Fri) by david.a.wheeler
In reply to: Wheeler: Insecure open source software libraries?
Parent article: Wheeler: Insecure open source software libraries?
FLOSS has some potential security advantages, namely, it betters meets the "open design" principle. But potential is not the same as actual; a particular FLOSS library can be awful as well as good. So you shouldn't pick a library (FLOSS or not) until you've determined that it's okay to use.
The main issue of the cited report, though, is that developers aren't keeping up with the libraries they use. If they write a program (or library) that uses SOMELIB version 1.0, then 7 years later, after many updates, they're still using SOMELIB version 1.0. Even though SOMELIB version 1.0 is 20 versions behind and has a hundred known vulnerabilities.
One potential advantage of FLOSS is that, through many eyes, many vulnerabilities can be found and fixed. But that doesn't help if people do not USE the fixed versions. That's the problem here; the FLOSS libraries are getting updated, but people aren't using the updated libraries.
to post comments)