My friend and Network World editor, Ellen Messmer posted an article yesterday about the results of an analysis by Aspect Security of the Central Repository maintained by Sonatype. The study was announced by Aspect and Sonatype yesterday. Both the study and Ellen's article have set off a bit of a firestorm in both the open source and security communities about the security or lack thereof of open source libraries and components.
As noted in Ellen's article some of the biggest libraries that are used and have known vulnerabilities are Google Web Toolkit (GWT); Apache Xerces; Spring MVC; and Struts 1.x.
The study was pretty exhaustive. Again from Ellen's article:
- 19.8 million (26%) of the library downloads have known vulnerabilities.
- The most downloaded vulnerable libraries were Google Web Toolkit (GWT); Apache Xerces; Spring MVC; and Struts 1.x. (The other libraries examined were: Apache CXF; Hibernate; Java Servlet; Log4j; Apache Velocity; Spring Security; Apache Axis; BouncyCastle; Apache Commons; Tiles; Struts2; Wicket; Java Server Pages; Lift; Hibernate Validator; Java Server Faces; Tapestry; Apache Santuario; JAX-WS; Grails; Jasypt; Apache Shiro; Stripes; AntiSamy; ESAPI; HDIV and JBoss Seam.)
- Spring, the popular application development framework for Java, was downloaded more than 18 million times by over 43,000 organizations in the last year. However, a discovery last year showed a new class of vulnerabilities in Spring's use of Expression Language that could be exploited through HTTP parameter submissions that would allow attackers to get sensitive system data, application and user cookies.
- in 2010 Google's research team discovered a weakness in Struts2 that allowed attackers to execute arbitrary code on any Struts2 Web application.
- In Apache CXF, a framework for Web Services, which was downloaded 4.2 million times by more than 16,000 organizations in the last 12 months, two major vulnerabilities were discovered since 2010 (CVE-2010-2076 and CVE 2012-0803) that allowed attackers to trick any service using CXF to download arbitrary system files and bypass authentication.
The buzz with the release of the study and Ellen's article is calling into question whether open source is any more or less secure than closed source code. Another issue is whether or not open source companies and authors are vigilant in closing holes and insecurities in their code. I spoke with Wayne Jackson, CEO of Sonatype, the company that maintains the Central Repository which was the subject of this study. I know Jackson from his days as CEO of Sourcefire. Wayne is a long time supporter and believer in open source.
Wayne told me that people looking at this study and using it to say that open source is less secure than closed source are mistaken. There are vulnerabilities in just about all code and libraries. The fact that this study saw so much use of vulnerable libraries is more about the popularity and wide spread usage of open source than whether it is more or less secure. To Jackson, that is the real finding of this study. Look how many applications and enterprises use open source libraries and components. It is pretty ubiquitous.
I was speaking about this very issue and study with my friend Jody Brazil, President and CTO of Firemon later in the day. I do consulting for Firemon on the market, but wanted Jody's take as someone who has been managing software development for many years. Jody's take was that while some open source code may have some vulnerabilities, he finds it no more than closed source development. He also thinks that contrary to what some have said, the open source community is very vigilant about patching and closing any vulnerabilities that are found. Much more so than in the closed source sector. Jody says that this study would now change his use of open source components one bit. Of course he still verifies all of his code and any forward facing code goes through an even more rigorous QA process. But overall Jody was not phased by this
I personally agree with Jody. I think overall the open source community does a great job of fixing any vulnerabilities that are found. With open source, there is nothing hidden, everything is out there for all to see. How many vulnerabilities are discovered in closed source software that takes companies months and sometimes years to fix? Overall the open source system puts more eyes on the code and is overall safer than a closed system.
What do you think? Is open source less secure?