Slashdot Mirror
Companies Overlook Risks in Open Source Software, Survey Finds (betanews.com)
An anonymous reader shares a report: Open source code helps software suppliers to be nimble and build products faster, but a new report reveals hidden software supply chain risks of open source that all software suppliers and IoT manufacturers should know about. The recent Equifax breach for example exploited a vulnerability in a widely used open source web framework, Apache Struts, and the study by software monetization specialist Flexera points out that as much as 50 percent of code in commercial and IoT software products is open source. "We can't lose sight that open source is indeed a clear win. Ready-to-go code gets products out the door faster, which is important given the lightning pace of the software space," says Jeff Luszcz, vice president of product management at Flexera. "However, most software engineers don't track open source use, and most software executives don't realize there's a gap and a security/compliance risk." Flexera surveyed 400 software suppliers, Internet of Things manufacturers and in-house development teams. It finds only 37 percent of respondents to the survey have an open source acquisition or usage policy, while 63 percent say either their companies either don't have a policy, or they don't know if one exists. Worryingly, of the 63 percent who say their companies don't have an open source acquisition or usage policy, 43 percent say they contribute to open source projects. There is an issue over who takes charge of open source software too. No one within their company is responsible for open source compliance, or they don't know who is, according to 39 percent of respondents.
How is it any different for closed source software? What if that proprietary software haven't been updated in years? Surely if there is no update, there is no security risk, right?
Has /. really stooped this low?
It's free e e e e e ee e e e!
Closed source is better. When I pay for software, if it fails, I get compensated.
When Windows crashed, and took all my data, Microsoft sent the best data recovery technicians money could buy to recover every single one of my files, didn't cost me a dime.
When I got ransonwared, Microsoft pad the ransom, because Windows was fully updated, and I maintained good security practices , Microsoft paid for their failure to secure code. Because they put their money where their mouths are they paid up to recover my files.
When my hardware got damaged by bad drivers, Microsoft replaced all my hardware. Due to a bad bios flash, MIcrosoft fedexed me a loaner computer at no charge, next day delivery and all.
Microsoft has the trust needed to safeguard my data. They put their money where their mouth is.
Compensate me for data loss, data theft, hardware issues, etc, and then I will consider open source.
What? Microsoft doesn't do these things? So my remedy for software failure, at best is the cost of the software?
Explain how closed source is better again?
It's amazing how the open source knockers always point out potential problems, while conveniently ignoring the fact that the exact same problems, but usually much worse, also exist in closed source software. At least with open source people have an opportunity to look into it.
Because you get jack and shit if your software purchase fails or has a bug.
Or you can pay for a support license. However you can get that with FOSS too, so it's still no different.
Yet with closed source you don't know what you've been handed, you have no idea whether there's anything patented in there that you're going to be held liable for, and you have also agreed to let BSA invade your shop and check for any, ANY, violation of a license. Even if that "violation" is the lack of the special sticker that didn't say it was the proof of purchase, only the product code strip that you THOUGHT was the proof of purchase since you can't get those without paying.
Tell me, how was closed source supposed to be better, again?
Modern development stacks using NuGet, NPM, Bower, etc. tend to make it exceedingly easy to insert someone else's code into your project without paying attention to licensing or vetting their code. And because of how easy it is to put your own stuff on these package managers, they're full of one-off projects that don't have the reliability or long-term maintenance of the major open-source projects.
I'd fully expect to see a ton of small companies (small enough to not have strict process) with horrible dependencies.
These roles/policies are generally only formed at a company after a legal risk/threat is realized I think. I know as a lead dev, my priority is often given to me from above in terms like "We need to do this quickly, as this is a great opportunity for us, and it should work well with our existing tech. How long would this take you to get something meeting these requirements out the door?" Saying something longer than what they want to hear is usually a great way to get a response like "why would that take so long if we already have X and Y working" at best, a poor performance review is more likely. Note that the requirements almost never state any sort of open source compliance or other important details details. Given an open source library or framework is nearly always the quickest and cheapest route to get there, that's what ends up used, with the hope that it will be properly analysed in detail and the situation improved down the road. The problem is management, and the pressure on dev/engrs to do things "quickly by whatever means necessary" far far too often.
Considering that there was a post a short while ago about how Microsoft got pwned half a decade ago and never make it public, putting everyone at risk? How is Equifax's refusal to patch their software in any way relevant to the fact that Struts is OSS? How many of these same companies were asked if they had closed source compliance teams?
The whole article smells like so much bullshit I'm having to lean away from my computer.
This isn't about open source software, or "compliance" regarding open source software. This is about failing to do timely security updates of reused third-party software. It doesn't matter if it's open source software or not. If you use third-party software, you need to update that software when a security update happens, and you have to do it BEFORE an attacker exploits it. This has been necessary for decades. Haven't you ever updated an operating system because a vulnerability was found in it? Of course you have. If you reuse software, and you embed it in something you use or deploy, then you need to update when the reused software has a security vulnerability. One advantage of open source software today is that there are tools that make it easier to monitor and update. But you still have to be prepared for security updates. You can do this by monitoring updates, using package managers to let you easily update, having automated tests so you can verify that the update is okay, and by having a deployment system so you can send out your update. All of this is available. Check out this video for an example: https://www.youtube.com/watch?... . If you don't keep your software patched in a timely way, you get p0wned. That's how it works. That's ALWAYS been how it works.
- David A. Wheeler (see my Secure Programming HOWTO)
Check out the primary source: Flexera. They are definitely not supporters of open source software.
Their business relies on closed source.
The real "Libtards" are the Libertarians!
These guys make license management software for big closed-source software packages (CAD, simulation, etc.). I've been fortunate enough that their software has always done its job and gotten out of the way (at my organization), but their end-user documentation is awful. Take their commentary on open-source software with a big pile of salt.
C'mon, folks. Yet another FUD package? That's getting old now.
Times are over where you install "some software" and don't touch it until the system dies of old age. Free sofware or otherwise.
Equifax didn't keep their systems up to date. They got what they were asking for. You need a proper process to run any software -- heck, for any complex system, like a bridge or a building.
The whole problem here is the lack of proper code management in what is really a proprietary tool. Actual free software projects are managed and developed publicly. The developers are concerned about public appearances explicitly because the codes publicly available. I can't tell how many proprietary programs I've helped free and the one thing that always has to be done is a code clean up. The way free software projects work is bug fixes get imported from upstream projects, etc, etc. My primary job is working with developers of downstream open source projects and none of them have this problem. Security update? They pull in the fix code and re-build. One major project pulled in 2 fixes in the last six months and another 2 fixes this past week. All critical security issues have been resolved within hours.
Computer systems, both hardware and software, have simply become too complicated for the average PHB and for the average company.
The vast majority of the managers have no idea, NONE, how these systems work, how they are put together, and how they should be maintained and updated. They simply select software based on the latest buzzword, the latest Gartner "quadrant" (whatever that is) or the latest fad and/or "safe" choice (Remember: "Nobody ever got fired for buying IBM"? Or Microsoft, or Oracle, or Red Hat Linux, or...).
What is even worse is that everyone right now is under pressure to deliver, deliver, deliver: services, software, profits, what have you. Simple common sense, such as using simple, proven techonologies, updating (or even replacing) things on a regular basis, and testing for the most common security and configuration mistakes, not to mention advanced standards (PCI-DSS anyone?) is simply forgotten and/or swept under the carpet. There, the issues accumulate and fester, until the rot and stench become unbearable and attract the script kiddies and the bottom-feeders of the Internet.
Add to this technical and engineering teams that are under-staffed, underpaid, overworked, often demoralized and threatened constantly with being axed and replaced by H1B or outsourced to a third-world country, and you have a recipe for disaster. Hence the Equifax we will now have on a regular basis and the Internet of Shit, the half-baked PHP pages, coded by the moronic intern, that are simply begging to be hacked, drawn and quartered. Hence the constant scapegoating of the technical team -- both "dev" and "ops" -- that results in those perfectly avoidable disasters.
To the average PHB and countless ''bro'' startup CEOs, the people who know their stuff are simply nerds, both too expensive and too whiny, useful idiots to be ignored, discarded and replaced at will in their quest for more profit, "eyeballs", "clicks", and even more profits. And these same PHBs and CEOs parade and strut in front of their peers, talking nonsense about things they do not understand, piling buzzwords on top of buzzwords while their nerds and geeks desperately try to warn them about this or that issue or vulnerability.
It's time for a new revenge of the nerds. It's time for companies and their leaders to be held accountable for their failings -- except they will probably find easier to scapegoat the nerds.
The issue is not open-source software. The issue is not closed-source software, or even computers. The issue is that nobody cares about a job well done anymore, because profits. Try to wake up the idiots that rule companies and you will either be ignored or dismissed. Propaganda (just another word for PR) and appearances are more important than caring for your customers or your employees. Save a buck, damn the torpedoes and full speed ahead. What do you mean we have to patch this? Shut up!
This is not new or even special (Exhibit #1: the Ford Pinto). This is just a bit more visible these days. We are back in the Gilded Age of the Robber Barons.
And by the way, if you are reading this, you are probably not one of the Robber Barons. You are one of the nerds. Welcome.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
just another case of an IT department that failed to patch a vulnerability in a timely fashion..... Of course this one just happened to be housing the financial identities of nearly half the adult American population....
I'm actually kind of disappointed that more copy-pasta/otherwise spammy anti-OSS ("open sores") anecdotal type posts haven't been made here yet.
There is no XUL, only WebExtensions...
Right?! Why don't they just use a closed standard available only for purchase and tightly regulate it, like WPA2 or something, and then there won't be any issues.
Many eyes make bugs shallow, but that doesn't work if you keep them closed.
It's just that companies are more motivated to keep track of software that they have paid for licenses for. If they don't keep track of their license usage then they can be fined for running illegal copies. Some software companies are extremely vigilant in making sure that their customers are only running the number of copies that have been paid for.
If the free open source world had some companies that tracked their applications like that then firms would track the usage better.
Flexera has an agenda to manage "Software Composition Analysis", which is intended to manage your exposure to Open Source Software.
I've come across this tool in consulting gigs and is essentially a catalogue of OS tools and libraries usage. This is something that be easily acheived open source repositories such as Nexus.
dwheeler commented:
This isn't about open source software, or "compliance" regarding open source software. This is about failing to do timely security updates of reused third-party software. It doesn't matter if it's open source software or not. If you use third-party software, you need to update that software when a security update happens, and you have to do it BEFORE an attacker exploits it.
This has been necessary for decades. Haven't you ever updated an operating system because a vulnerability was found in it? Of course you have. If you reuse software, and you embed it in something you use or deploy, then you need to update when the reused software has a security vulnerability. One advantage of open source software today is that there are tools that make it easier to monitor and update. But you still have to be prepared for security updates. You can do this by monitoring updates, using package managers to let you easily update, having automated tests so you can verify that the update is okay, and by having a deployment system so you can send out your update. All of this is available. Check out this video for an example: https://www.youtube.com/watch?... .
If you don't keep your software patched in a timely way, you get p0wned. That's how it works. That's ALWAYS been how it works.
Mode parent +1 Insightful, please.
Huffing and puffing aside, this is EXACTLY what both TFA and TFS are about. (The headline, as usual, is pure clickbait trolling. Thank you for that, /. editors ... )
Check out my novel.
The article is about POLICY and compliance with it. If your company has no POLICY regarding open source, and no checking for compliance with that policy, how do you (as, for instance, the CIO) ensure that the systems are in fact patched in a timely manner? Just leave it up to some low-level admin? Package managers, etc are just tools, they are not a substitute for policy (without policy, what is to prevent someone from downloading the source and building themselves, avoiding the pesky package manager)?
'nuff said
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Because dealing with these risks would cost money and they rather pay a bigger bonus to the C-levels than solve this problem. There are no specific risks of FOSS that are not present in commercial software. You can buy support for FOSS that is just as good or better. You can have your own people that can deal with problems. You can get independent reviews of the software. In fact, basically everything about FOSS is easier to secure than with the alternatives. It is still not simple and the time and effort has to be spent.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Yeah, I know, DFTT
> People use closed source software knowing full well that the product may be discontinued, or it may go unmaintained at some point. The risks are well known and understood.
The software being open or closed is irrelevant to the discussion.
> All we need to do is look at GitHub, SourceForge, or Apache to see that most open source projects do in fact end up dead. Of course, open source advocates don't admit to this.
[[Citation]]
The _difference_ is when Vendor A goes out of business you are _completely_ fucked for future updates. Good lucking fixing bugs in a closed source program.
When an OSS project stops being maintained the source is _still_ there. You have the _option_ of hiring a competent programmer to fix bugs in it -- with closed source there is no option.
The _real_ problem is that you picked an OSS project that wasn't popular enough. What The Fuck were you doing when you _evaluated_ the software in the first place??? The _first_ thing you do when picking ANY software from a business POV regardless if it is closed, or open, is to evaluate:
a) the _community,_
b) _support_, and
c) a BACKUP plan. That is, what was your _migration strategy_ for WHEN "this software is no longer available?" What's that? You didn't _think_ of THAT scenario? Blaming OSS for your own short-sighted stupidity is a moronic attempt at trying to pass the buck for your incompetence.
> myth is probably that open source software is somehow "better".
> Open source products are just as buggy as closed source software products are.
As opposed to the FACTs that closed source is buggy-as-shit ???
It is hard the get an accurate bug count with closed source because closed source is too embarrassed to tell the truth but here are some stats:
* Windows 2000 had 63,000 bugs,
* Windows 7 had 2,000 bugs,
* Windows 10 1,300 bugs
No one pretends OSS is some silver bullet. But it has numerous advantages that closed source will NEVER have (by definition.) Every disadvantage that OSS has is _also_ the exact same closed source.
You can't put a price on freedom.
Mod parent -1 troll.
Indirectly, of course...
Turn it on and if it doesn't blow up things are OK.
In other words the Software industry is full of frauds. Like Most other industries.
Lets be honest. Some Projects Like OpenSSL and PHP should better be called TROJAN HORSES.
Everything you just wrote assumed that the company will write the system from scratch rather than tweaking a FOSS system. So you are right in what you say but it has nothing to do with this subject, or how anybody does things in 2017 for that matter.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
How is it any different for closed source software? What if that proprietary software haven't been updated in years? Surely if there is no update, there is no security risk, right?
Proprietary and Closed are two separate things. Some proprietary software may be sold under a binary-only license or a source code license. The source code license allows redistribution by the licensee so that the licensee can debug and update the code if necessary. In other words the source code license removes a big risk of "buying" rather than "building" software. From the licensee's perspective it is not terribly different than open source. It really only differs for the licensee's customers who have no access to the source code.
To this point... compliance is a big buzzword these days and you can't have compliance without a policy or regulation to which you must comply. But a dumb policy might be worse than no policy. So... hire competent people.
"Flexera points out that as much as 50 percent of code in commercial and IoT software products is open source." And most of those products are violating the GPL.
My experience in the field has led me to the conclusion that closed source is far more damaging to a companies bottom line.
1. Closed source licencing often results in changes to architectural designs to limit license exposure. This in turn often makes the final product weaker than it could be. For example if your buy of license X you can only scale to 10 nodes in production. If demand gets high enough you can not scale to meet it.
2. Closed source licenses that restrict functionality once license is exceeded. This can cripple your company and you don't even see it coming. If the product you have purchase has a version of cripple wear built in you could at times of demand all of a sudden lose functionality. Example, say the closed source stuff has a search function you need for your sales team. It's Xmas season and the sales are flying in. All of a sudden in the middle of the day the search function suddenly only returns the first match only. Chaos would ensue.
3. Support, Open source hands down has the best support out there. Opensource communities tend to be very active. This is a key requirement for any source you bring in house. I don't care if it's open or closed. I want to see the community behind it. Is it active. Are people passing examples around. Is there a friendly dialogue going on. Or is it just a stream of "This is broken". Or worse the last update was a year ago. Or even worse the community portal is managed by someone that deletes negative comments. Again Open source does this right.
4. No patches unless you pay a fee. The trap. You bought our stuff for cheap. After 3 years all of a sudden the support fee exceeds the original purchase price. Not all closed source does this. But it is a fairly common practice. They have your data / business by the short and curlies. If you don't pay you don't get support. Even worse you lose functionality if it is also crippleware.
5. Discontinued code. 5 years ago you built you business on this code you paid for. But now the company has decided to no longer develop it further. They aren't out of business and the claim to support it. But it's effectively dead. So that clause that says you get the source code if the business goes under still can't be invoked. Why because they are still there and they still say they support it.
6. Tool chains that you have no visibility of. Closed code also has closed tool chains. Which means you have no idea how it was built. Was it built on the interns laptop and hand rolled into a package? The intern that has a thing for surfing dangerous world of unicorn manga. His laptop that is so infected with malware that it takes 20 minutes to boot. You just don't know do you. Opensource the tool chain is typically part of the source. You can reproduce the build locally at any time or ever time.
Closed Source is extremely dangerous in my opinion. I only recommend closed source when the vendor is clearly the market segment leader with a strong community and a reputation for support. The number of closed products that fit this criteria is extremely small.
( Sorry spelling is horrible. )
The @equifax problem was human. Update, update, update.
That's correct, I assumed the scenario that the parent poster had posed.
Answering questions about an unrelated scenario isn't really productive in most conversations regardless of how many times you can include the term "FOSS."
You might not have a team in your org that keeps track of the OSS you use, if that is the case, it is your task to keep up-to-date on the development of the OSS you use. It is not hard, almost every OSS project worth being used has a mailing list or social media account that will inform you on new updates etc.
If you don't do that, you are just an irresponsible dev.
On a long enough timeline, the survival rate for everyone drops to zero.
Except in the Equifax case the patch was to struts, so the issue is likely with the development team not the sys admins.
I'm on the process of documenting all opensource components being utilised in a software project I've inherited. One of the first things I did was to inventory all the components, and create an archive of all the packages required to build. However this is rarely done in many companies which was one of the points of the article.
The jibe about companies contributing is a bit of though. What is worrying about companies contributing, if the code is good that's a great thing.
The only risk here was the incompetent management, and use of default admin/admin login
Twinstiq, game news
Your post sums it up well and deserves a +1 Insightful
48% are week-old Ars articles
2% are bizarre non-articles, like an opinion post on somoene's personal blog that nobody reads, or some comment made on gihub.
My beliefs do not require that you agree with them.
so now it's "open source"'s fault that these disgusting companies can't do their jobs properly? fuck you, you dumb ass bastards.