Sorry Charlie, All Web Apps Can Be Insecure, Not Just Open Source Ones

New open source tool that fingerprints web apps doesn't mean open source web apps alone are insecure

At the recent Black Hat security show in Las Vegas, SaaS vulnerability management company Qualys announced a new open source security tool called Blind Elephant. The tool is open source and is used to fingerprint specific versions of web apps and plug ins.  Somehow or another, John Dunn of Techworld (I saw the article in PC World) turned this into "Open Source Web Apps Called Often Insecure". So he is taking this new open source security tool and trying to say that it proves open source web apps are insecure.

Sounds to me like a case of Starkist wants tuna that taste good, not tuna's with good taste ;-).  The tool is open source, but that doesn't mean it only checks for open source web apps, nor does it mean that open source web apps are any more or less secure than non-open source web apps. Instead John and/or PC World link to two articles that call into question the security of open source apps (one says open source should take a lesson from Microsoft on security) and this seems to be the continuation of a theme over there.  

Lets get this straight though.  The folks at Qualys have released a tool called Blind Elephant. It is open source and can be downloaded from Sourceforge here. It is not a vulnerability scanner, in that it does not look for specific vulnerabilities.  It is a fingerprinting tool. It looks for and determines the exact version of web application in use. Based upon the version in use, it can tell you if it is an old version and one that may have known vulnerabilities. But it does not say for sure if web app you are running is vulnerable. If you have done something to negate or neutralize the version of the app you are running, it does not check that. It is just fingerprinting versions. By the way, that is still incredibly valuable. But lets keep in mind what is actually going on here.

Of course most older versions of software have known vulnerabilities, which is why you should use the latest versions with patches.  But in web apps especially that is not always so easy. Many web apps are hosted by service providers. As such you may not have the ability to upgrade the version of web app you are using. But again this is true for both open source and non-open web apps.

It is misleading to say 100% of sites that were running phpBB were vulnerable. 100% of sites using the old version of the product perhaps were vulnerable. But not if they run the latest version. Again, download the latest version Charlie!

So lets not turn this Blind Elephant into a Pink or White Elephant. It is not meant as a tool to prove open source web apps are any more or less secure than non-open source web apps.  It is an open source tool that allows you to do quick, efficient fingerprinting.

So whether you are a big open source fan or not is not really the point. But before going off and attacking open source web apps as being particularly insecure, you should do a little digging. Otherwise you can make the same mistake Charlie did:

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)