Commercial software chokkas with ancient brutal open source vulns Commercial software is riddled with old critical open source flaws that are largely hidden from the eyes of enterprises, according to Black Duck Software. The manual audit report The State of Open Source Security in Commercial Applications [PDF] by the open source security tester studied 200 applications over a six month …
A common reason is that at some point an open source component is embedded into the closed commerical software (possible with many licenses), but forgotten and never updated. Company bureacracy can also seriously contribute to this. In one organization I know, a legal clearance process is required for any included piece of OSS (good practice), but the clearance applies to a specific version only, down to the last version number digit. If you want to update it, if only to get minor bug fixes, you have to request another clearance. You can guess where this leads to...
The City of London has no problem in using Open Source nor does Goldman Sacks nor does the LSE(to name but three), all without having to consult a single lawyer. Once you accept the terms of the license then no lawyer can come after you for violating their 'intellectual property'. Unless that is, you've signed a contract with either Oracle or Redmond and/or are selling Android phones.
@MacroRodent: "A common reason is that at some point an open source component is embedded into the closed commerical software (possible with many licenses), but forgotten and never updated. Company bureacracy can also seriously contribute to this. In one organization I know, a legal clearance process is required for any included piece of OSS (good practice), but the clearance applies to a specific version only, down to the last version number digit. If you want to update it, if only to get minor bug fixes, you have to request another clearance. You can guess where this leads to..." ref
The City of London has no problem in using Open Source nor does Goldman Sacks [...]
I don't think these organizations ship products containing open source code. The one I had in mind does. This may create more obligations, depending on the particular licenses.
I agree there is a lot of FUD and over-cautiousness about open source use, but a technology company that stuffed any good-looking open source code into their products without anyone competent checking the licenses would be irresponsible. However, the legal clearance should accept that the open source code evolves, and it must be possible to upgrade the open source components without a huge song and dance. For example, the legal eagles could declare that all versions of Foobar 2.x are OK to use in products, provided the license does not change from the one they vetted.
...commercial software is almost certainly also chokka with shiny new closed source vulns. In fact, since the motive for importing some OSS code is that you don't have the time to write your own version, the closed source parts of the code are probably lower quality and so the vulns are probably easier to find by fuzzing.
Code reuse is a basic requirement of software development - you use external libraries because you have not the time or the skills (or both) to write it yourself - and it really doesn't matter if the libraries are open source or not.
You should have a process in place that ensures that every piece of code is kept up to date, especially when it comes to your product (and your customers/users) security. With open source libraries you also have less excuses because you usually don't have to pay for new versions.
Just, in my experience, commercial closed source companies that heavily rely on open source code are also those who are too mean to buy commercial libraries and pay good developers to maintain the code... and that's the result.
Code reuse is a basic requirement of software development
Code reuse was last century's Holy Grail of software development. We pretty much found it, but there's a catch: it's poisonous.
It's a requirement for the Agile(TM) Rapid(TM) programming-lite "development" of Cheap and Bloated software.
Thing is, most useful software seems to fall into two classes, A) small throwaway scripts not shared with the world, and B) highly polished applications relying upon a conservative set of stable OS/library code (and high-quality specialized hardware in some instances).
Flaws and vulnerabilities in OSS software?
This begs the question, what kind of OSS license did these companies use when embedding these components in their proprietary offerings.
If the GPL was used then surely users would be able to study the parts used to see if there were any bugs. With Apache, MIT and so on do users have the right to demand that the software components under those licenses be divulged?
It would seem that not all FOSS licenses are created equal.
If it's GPLed or AGPLed code, then strictly, That Is Not Allowed. End of quote.
If it's LGPLed code, they are obliged to provide you the LGPLed portion in source form and should provide the non-LGPLed code in binary form and some sort of linker script to combine the two.
If it's MIT or BSD, they can pretty much modify it and distribute how they please. Modern BSD looks much the same as MIT to me (I am not a lawyer), earlier BSD licenses required that you advertised the fact you were using that software in your documentation.
It's quite likely that the OSS components in commercial software you are running are not the latest versions. But then again, in my experience, it is very likely that the version of the commercial software you are running is not the latest one either.
And.
Some time ago, I did work with products that had open source components. All dutifully acknowledged. Please write to / email this address for the source etc. No one ever did.
What were the names of these 'common customer security tools' and how are they more effective at detecting bugs in closed source components?
What were the names of these commercial software packages containing 'open source componentry'?
What prevented these commercial clients from consulting the various Open Source bug tracking sites.
Black Ducks, yet another false Microsoft front, entire reason for existing being to trash 'open source'. ref ref
Shame on you elRegister for providing a platform for this Black Propaganda?
Is not only easy but very lucrative for giant corporation$ to blame FLOSS, even when they steal or use and misuse OSS. Proprietary software has been flawed and full of holes since ever and now the portion of OSS code is to blame!!?? Ha!, tell me another joke.
There is no perfect code, but OSS is known for being much more honest... moreover, is transparent and they cannot hide a hole for long, as proprietary software does and there is plenty information out there about it (window$ server vulnerabilities, iO$ vulnerabilities, etc., etc.).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
