יום שני, יולי 21, 2008

The sunshine makes everything so dark...

Study: OSS Communities Are Often Slackers in Security

As usual, when you read these type of articles in reverse everything is so much clearer. So let's start from the end:
  • One paragraph before last, they bother mentioning the research company also provides "audited versions of several open source packages" and link to their friendly Open Review Project. OK, so it's not about security, or rather it's about their financial security...
  • Somewhere in the middle of the text, it becomes clear they only talk about open source Java and for the study they examined some 11 projects -- that's no doubt a typical representation of the FOSS community projects.
  • Also great quotes:
  • ..."One is the absence of any procedures for reporting bugs or security flaws."
    • Can you show me a decent FOSS project without a bugzilla?
    • Can you point to the URL for public reporting of bugs in proprietary products?
  • After reading through the text I found they try to compare "community" FOSS with "commercial" FOSS. They don't even mention proprietary.
  • Oh, we finally got to the title... yes, it was the communities they were bashing all along, not FOSS per-se. They actually claim to help FOSS by selling audited versions of the untrusted community editions. Just like our MS friendlies that simply love FOSS as long as it's on their terms.
So what can be said about this crap:
  • If these Fortify Software chaps really have a business plan around FOSS than a good advice would be -- if you want to drink from this well, don't piss in it...
  • And lets be clear about it -- I'm all for full disclosure of security flaws (FOSS or otherwise), but this article didn't disclose anything except paragraphs upon paragraphs of FUD.
Pretty obvious from the title, don't you think?

2 comments:

  1. Let me also point out it was Java applications ... not to single out Java but a lot of Java code tends to have simple exploits in it due to the people working on the code (a lot of times it's fresh out of college kids who haven't heard of app security just yet). One could probably found a similar pattern with C++ in the early to mid 90's before java took the educational language cake.

    השבמחק
  2. That, or the developers think Java is immune to all security exploits just because it catches array overflows (with a fatal exception which can still DoS the entire app if not caught properly, but they don't understand the implications of that either).

    השבמחק