I'm an author and a developer focused on build tools. I'm currently focusing on Gradle, but I have an interest in all build tools and most development infrastructure. I focus on Enterprise Java, Ruby, and the interface between Systems Administration and Software Development. The focus of my work is to make it easier for individuals to adopt open source software. Tim is a DZone MVB and is not an employee of DZone and has posted 41 posts at DZone. You can read more from them at their website. View Full User Profile

Open Source Changes Fast. Can You Keep Up?

  • submit to reddit

Bouncy Castle.   Do those words mean anything to you?   If you are a Java developer, you might know that Bouncy Castle is an encryption library often used to generate secure hash codes and encrypt data.  In other words, it is a silly project name for a serious purpose. Do you any know that old, released versions of Bouncy Castle have known security vulnerabilities?   I’m not writing this to cast a shadow of doubt on the project.  Bouncy Castle is an awesome open source library, as is the Spring framework, Commons HttpClient, Tomcat, and Jetty.   What Bouncy Castle has in common with all of these other open source components is that old versions of each project have known security vulnerabilities.

There’s a good chance that you might not be focused on this problem.   You might not be constantly evaluating your project’s dependencies to analyze the risks.

I’ve been developing enterprise software for years, and it just isn’t something most companies worry too much about.   While a company might spend a great deal of money on systems and personnel to keep operating systems patched and networks secured, that same company is likely using an older version of Commons HttpClient 3.1 that presents a denial of service (DoS) vulnerability.    In other words, we appreciate the vulnerability of machines and operating systems while simultaneously ignore the security characteristics of the software that runs on these platforms.

As open source becomes more important to the modern enterprise this exposure will only increase.    The critical question to ask yourself given the increasing rate of change in open source is “can you keep up?”.

It just so happens that we recently launched Sonatype Insight to help with this very issue. Watch this short video to see how Sonatype Insight. can help you keep up.

Learn more about Sonatype Insight.

From http://www.sonatype.com/people/2011/10/open-source-changes-fast-can-you-keep-up-2

Published at DZone with permission of Tim O'brien, author and DZone MVB.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)



Bob Bobsmith replied on Mon, 2011/10/10 - 3:23am

What Bouncy Castle has in common with all of these other open source components is that old versions of each project have known security vulnerabilities.

That makes it sound like FOSS has a particularly bad problem with security vulnerabilities and non-FOSS users needn't worry, which isn't the case.

Lots of old versions of just about all libraries (either FOSS or proprietary) have various bugs and security vulnerabilities. Some might leave your app vulnerable, some might cause crashes and some might just make your results ever so slightly wrong.

Unfortunately, updating the library could cause incompatibilities or make other bugs visible, so people are frequently unwilling to update any library. Of course, if you had a decent set of unit tests then you wouldn't need to worry - as long as the API remains consistent then you just run your comprehensive tests and check if everything is still okay. People do have decent unit tests, don't they?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.