Security in open source software isn't automatic
Article 1 of 4
The open secret in open source: Security isn't built in
Security in open source software shouldn't be based on assumptions.
If you are part of the movement toward more and better use of open source software, you'd be smart to do so with care. The security risks are significant, in part because it is so tempting to assume that they aren't.
After all, why should you test every little thing yourself? With so many people working with the same code, security flaws will be apparent, right? It becomes easy to slip into the mindset that you don't have to do it, because, of course, someone else -- or lots of someone elses -- already took care of it. This idea is logical in a way, but mostly it is just plain reckless.
A passive approach to security assumes too much. And with security, any assumption becomes a potential vulnerability. So what's the best way to overcome those risky assumptions and get serious about security in open source software?
Experts say automation and patch-management tools provide big boosts to the cause. These sorts of technologies can identify potential problems without hindering your development and release cycles. This is no place for manual practices, as TechTarget's Jan Stafford writes in this handbook's featured article on security in open source software.
Those with malicious intent will look to exploit weaknesses in code; some will even slip bad code in with the good. It's unwise to assume everyone has your best interests in mind -- even in the open source community.
Certainly the scrutiny that's a natural element in open source software will aid your security efforts, but it isn't enough to get the job done. Find the tools and strategies that can help make sure that, while the code is open, the door is closed.