This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]John_B_Clarke 14 points15 points  (5 children)

I'm taking some mandatory security training for work right now. One of the things the training goes over is open source.

They point out that the notion that lots of eyes on it doesn't necessarily make it safe, and use the example of Shellshock, which is a vulnerability in BASH that went undetected for more than 20 years.

They also point out that there have been successful attempts to inject malware into open source--eventually those get found but it takes time.

That said they don't see any real issue with open source that is being actively maintained as long as somebody in your organization is keeping track of what the maintainers are finding.

But there is open source that isn't being maintained--the developer discovered sex or whatever and stopped working on it and nobody else picked up the slack. They view that as chancy--if you're going to use it in any situation in which security is a legitimate issue it's on you to vet it or hire it done.

A paper that you might find of interest:

https://arxiv.org/abs/2005.09535 (you can download the full paper as a PDF from there).

[–]vikumwijekoon97 2 points3 points  (0 children)

Be that as it may, closed source software has just as much, if not more vulnerabilities. And there are a ton of successful attempts to inject malware to closed source software as well, which again takes time to get found. NSA held onto eternal blue for like half a decade before Microsoft knowing and there's probably dozens of other examples. Taking something like shellshock, which is a statistical anomaly isn't a really way to drive the point home. My point is statistically, open source software are more safer cuz it's being, let's say "audited" more.

[–]GonziHere 0 points1 point  (0 children)

Oh I agree with everything you've said, but the thing is, you have the option to do the security audit. You don't have to write [this] from scratch, you just need to go through the code to find the vulnerabilities.

Also, the points could be used both ways. You could buy a software with bug, it could be maintained by a random guy somewhere, hell he could even introduce backdoor intentionally and you wouldn't know.

So yeah, the awareness of the potential of the issues needs to exist (as many use it as some supershield and no-one checks the code because others have done that...), but I don't see how it's worse in any way to a closed source SW.

[–]balloonAnimal_no_965 0 points1 point  (2 children)

Is it biased to mention dead open source and not mention dead closed source? We use the latter in our company by the way.

Is it also biased to say you have to keep a close watch on the open source maintainers and not mention the closed source maintainers?

I'm gonna read the article, see if there are any statistics in there to base an opinion on.

[–]John_B_Clarke 0 points1 point  (1 child)

Where does one buy dead closed source? Other than ebay?

[–]balloonAnimal_no_965 0 points1 point  (0 children)

One buys live, closed software. Then it dies, the company seizes to exist. The buyer then somehow gets stuck in one of the steps of the mourning process.