Click here to Skip to main content
15,901,373 members
Search within:


Articles / All Topics
 
Technical Blog
View Original

Open Source Risks

Rate me:
Please Sign up or sign in to vote.
0.00/5 (No votes)
21 Jul 2011CPOL2 min read 8.7K   3   1
As a developer, what is the quantifiable risk of using an Open Source library? We need to address this situation without killing the collaboration and openness of Open Source.

It’s really surprising to me that a widely reported recent WordPress plug-in hack was mostly brushed off as just another system getting hacked. I really see this as a much bigger issue. While the WordPress team did a good job of detecting and handling the situation, they still forced password resets on everyone using the system. As a developer, it looks like they were not 100% sure they had closed all the loopholes or found all the malicious code.

How did the hack actually happen? The hackers managed to impersonate developers on the project and check in a few lines of code that created a back door for the hackers to get in through. At some point, this was caught by the team reviewing check-ins, but the across-the-board password reset makes me wary. This post makes it seem like the code made it into the repository and was available to some users for a short period of time.

The bigger issue here is that hackers are actively targeting Open Source projects. This problem is much bigger than the hack itself, and no one is talking about it in the online conversation (that I have found). Large companies already prohibit the use of Open Source for this very reason, and are being proved right. Enterprise developers are forced into building sub-optimal solutions since they can’t use Open Ssource.

In this instance, the project team was diligent enough to catch it before it got too far. What about other projects? Are there back doors out there now? I’m certain there are. As a developer, what is the quantifiable risk of using an Open Source library? We need to address this situation without killing the collaboration and openness of Open Source.

The large companies are addressing this by getting smaller companies to indemnify the Open Source project and take on the risk of being sued if a hack gets through. While this is working on some fronts, it certainly doesn’t scale. There are thousands of Open Source projects, most of which will never see indemnification by a third party.

I don’t have the solution in hand, but it seems to me the conversation needs to get moving.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
David Truxall
Team Leader Hewlett-Packard
United States United States
Dave has been programming for a living since 1995, working previously with Microsoft technologies modeling internal business processes, and now working as a mobile architect and team lead. He is currently employed by DXC.technology in the metropolitan Detroit area.

Comments and Discussions

 
First Prev Next
GeneralOpen Source Risk Reduction Pin
Jan Steyn21-Jul-11 23:51
Jan Steyn21-Jul-11 23:51 
Last Visit: 31-Dec-99 18:00     Last Update: 19-May-24 11:48Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 21 Jul 2011

Article Copyright 2011 by David Truxall
Everything else Copyright © CodeProject, 1999-2024

Web03 2.8:2024-05-14:1