Another day, another Black Duck Software report that finds that (wait for it!) 220;Open-source vulnerabilities plague enterprise codebase systems,” as ZDNet’s Charlie Osborne reported. Even if we set aside the fact that Black Duck sells tools and services to root open source out of your enterprise, it’s not clear why its findings matter.
Open source has flaws? Absolutely…just like every bit of software that has ever been written by anyone on any planet.
This is why we should take away the exact opposite conclusion that Black Duck seems to intend by its report. Rather than fear open source, which lays bare its vulnerabilities, we should embrace it. Open source isn’t inherently more secure, as some have claimed, but it’s inherently more likely to become secure, if only we’ll do something with the knowledge open source code affords us.
Ignorance is no excuse
As Osborne summarized, “Black Duck Software researchers found through an audit of 1,000 commonly-used applications in the enterprise that 96 percent utilized open-source software, and over 60 percent contained security vulnerabilities due to these components.” Further on, she noted: “78 percent of the codebases examined contained at least one security vulnerability due to open-source components, and on average, 64 vulnerabilities per codebase were found.”
This sounds terrible, right?
SEE: Linux distribution comparison chart (Tech Pro Research)
Actually, no. The very fact that Black Duck knows about the vulnerabilities is cause for hope, not alarm. If enterprises know about problems in the source code, they will fix them, right?
As it turns out, the answer to that question is “wrong,” as the Equifax example suggests. Remember Equifax, that company so eager to gather and consolidate our data? Alas, the same company is not nearly as bothered about protecting our data, which is evident in its blaming of open source Apache Struts for its data breach that spilled 143 million personal records. This would be more credible had Equifax not had five years to patch Struts. Yes, Apache Struts had a vulnerability. Yes, it was made publicly known. And, yes, that vulnerability was fixed. It was Equifax that chose not to deploy the patch.
But Equifax isn’t alone.
Even after the Equifax debacle, Black Duck’s analysis found that a third of companies using that software are still using the old, problematic version of the code.
Look in the mirror
In other words, open source developers are doing their best to write good software, publish notices when bugs are found, and then fix those bugs. What the open source world cannot do, however, is fix inept IT practices. Despite the headlines, it’s not the open source world’s problem that so many want to use the software but can’t be bothered to apply updates. This is why the savviest enterprises get involved with the projects upon which they depend.
However, even if companies don’t want to contribute, they shouldn’t point fingers at open source to cover their own incompetence. As edX’s John Mark Walker acerbically observed, “Dear CIO’s and other IT overlords: If you’re incapable of managing your software engineers and their handiwork, buy managed products.”
This is Enterprise IT 101, whether buying from a vendor or downloading open source software. You’ve got to apply the updates. With open source, you’re not reliant on one enterprise to make flaws in its products known, something that most software vendors will avoid for as long as practicable. With open source, the errors get uncovered earlier, in many cases, and broadcast to all. In this way, open source is superior to proprietary alternatives, and should be celebrated for its approach to security, not shunned.