December 17, 2007

One of the urban myths about open source is that it is supposed to be more secure than traditional proprietary software. In actuality, it’s not that open source is more secure per se, but that theoretically, when code is accessible to developers anywhere, that things tend to get patched a lot more quickly.

The dilemma however is that customers that use open source software may not always know when they have problematic software, and/or whether patches have been issued. In large part that is attributable to the fact that for grassroots or foundation-lead open source projects, there might not be any single entity that "owns" the project or formally retains business or legal responsibility for handling vulnerability issues.

Palamida, which began life tracking the intellectual property in open source, is now training its sights on tracking bugs and security leaks found in open source code. The company shifted direction as it moved its prime marketing focus from serving software vendors to pursuing corporate business. They have just released a new version of their Vulnerability Reporting Solution (VRS) which contains signatures of over 480 new leaks. And to get everybody’s attention, they are listing the top five most common undetected security alerts.

The list includes a mix of household names and obscure libraries that tend to be ubiquitous. This year, Apache Geronimo, which is the open source iteration of IBM’s WebSphere Community Edition, lead the pack in undetected vulnerabilities. It was followed by an even more popular open source appserver platform, JBoss. And following those two were a bunch of libraries that tend to turn up a lot in open source downloads, including LibTIFF, an old library used for reading TIFF images; Net-SNMP, a widely used agent for reading  SNMP identifiers off network devices; and Zlib, a software library used for data compression.

The criteria for listing had nothing to do with the incidence of bugs or security leaks. So for instance, just because JBoss and Geronimo were so prominently listed didn't mean that their software quality is poorer the poorer – it just meant that incidence of bugs was just one of the factors.

Instead, the survey ranked by exposure: these projects turned up most frequently in code audits that they have conducted for customers. Another criteria, which accounts for the presence of obscure libraries, is the “surprise” factor, which ranks the degree to which customers are unaware that they have the particular piece of software in question. Given that open source projects often leverage other open source projects, this tends to happen often, and it formed the basis of SCO Group’s ill-fated intellectual property litigation against Novell, IBM, and the Linux community.

“This has nothing to do with open source projects being more vulnerable, or whether they do poor patch management,” explained Teresa Bui-Friday, Palamida co-founder and vice president of marketing. According to Bui-Friday, in most cases, these and other open source projects patch extremely well and extremely fast. The question is whether customers are aware that they have this software, and whether they have the latest patch. For instance, your organization may have downloaded an open source product which could also contain some of the obscure libraries in question. If you’re not buying a subscription for support, chances are you’ll be left to guesswork.

The Palamida report emphasizes an important reality for the open source software market: the bottom line for customers is that you shouldn’t treat open source any differently from traditional proprietary software. Maybe you can download it for free (actually, that’s also becoming true with the “Express” versions of many mainstream commercial packages), but at the end of the day, if your business relies on the software, buying support subscriptions remains good business. Either you pay now, or you pay later.

---