Open source is no longer an also-ran in the world of software; cloud computing has Open Stack, operating systems have Linux and companies have access to a host of end-user open-source options, from WordPress to OpenOffice to GIMP to osCommerce. But while open-source scripts come without price tags, they’re not without risk. Here’s what every company needs to know.
Opening the Door to Vulnerabilities
According to a recent Naked Security article, more than 70 percent of the most popular websites using WordPress to power their blogs run versions that contain security vulnerabilities. CVE Details mentions issues like CVE-2013-5739 (default configurations of WordPress prior to version 3.6.1 don’t prevent the upload of *.exe files) and CVE-2013-7233, which allows cross-site request forgery, enabling hackers to hijack admin authentication privileges. It’s also possible to overwhelm certain WordPress deployments with brute-force login attacks or inject SQL commands through a URL.
Part of the problem boils down to the nature of technology: Hackers will always look for ways to compromise software, regardless of whether it’s open source or proprietary. But open source presents a special case, since deployments typically offer minimal (if any) technical support, and users can make modifications to code at will. As noted by eSecurity Planet, open-source code is often posted on forums and websites; users may download or copy/paste the data and then run it on company networks. With minimal effort, hackers can insert rootkits or other malware into seemingly benign software.
A Few Bad Open-Source Breaches
Drupal, a popular open-source content management platform, was hacked in May of last year, and millions of users had their accounts reset. According to CRN, no “core” functionality was compromised, but it was a wake-up call across the web.
In October, researchers from the University of California, Davis found that osCommerce, an open-source e-commerce solution, had multiple vulnerabilities that allowed malicious users to dupe the software into thinking items were paid for, even when no money changed hands, or — with a few changes to HTTP requests — to pay for items advertised in British pounds with the same amount in U.S. dollars, equating to a significant discount off the retail price.
Many open-source productivity tools, such as OpenOffice and GIMP, also have vulnerabilities. GIMP, for example, contains a bug that allows “improper restriction of operations within the bounds of a memory buffer,” according to Oracle. OpenOffice users, meanwhile, can be victimized by memory corruption as a result of errors caused by PLCF data handling in DOC files.
Check Twice, Install Once
The simplest way to test open-source code before running or installing it on a company network is to use a web-based vulnerability scanner. Proprietary scanner Nessus, for example, can analyze open-source scripts to make sure they don’t contain any malicious lines of code. Wapiti, a free alternative, performs a similar function, first scanning the Web pages of deployed open-source applications and then attempting to inject data — a process known as fuzzing — to determine whether any vulnerabilities exist. The app creates an interesting conundrum, however, since it is also open source.
Open Source Best Practices
The future of open-source software looks bright — big names like IBM and HP are getting behind cloud-computing initiatives, and many web hosting services include access to hundreds of open-source scripts directly from customer control panels. To ensure that the script you’re getting is the safest option available, it’s worth creating a few best practices.
First, always make sure open-source software comes from a reputable vendor (like a web host) or is downloaded from the official site (or official mirror) of the project. Next, don’t take code for granted, no matter how small, and don’t it’s assume secure, no matter how popular software may be; big players like WordPress offer easy access to tools and apps, but they aren’t invincible.
Using open-source tools can significantly reduce costs without limiting functionality. Making the most of these scripts, however, means diligence in procurement and before company-wide proliferation.
[image: Wavebreak Media/ThinkStockPhotos]