Maria Korolov | July 2, 2014 <\/p>\n
Given its prevalence, open source code is virtually impossible to avoid, but the proper steps need to be taken address its vulnerabilities. <\/p>\n
This year has been the best of times and the worst of times for open source code and security. <\/p>\n
On the one hand, the latest survey by Black Duck Software and North Bridge Venture Partners shows that 72 percent of industry professionals prefer open source software because it's more secure than proprietary solutions. <\/p>\n
On the other hand, Heartbleed exposed a security flaw in the widely-used, open source OpenSSL encryption tool that affected more than half a million websites. Also this spring, TrueCrypt unexpectedly shut down, citing \"unfixed security issues\" on its SourceForge page, and a critical bug in Linux, GnuTLS, was finally exposed after having been undiscovered for more than 10 years. <\/p>\n
Open source software is widely used in business in webservers running Linux and Apache, in databases, in the Android operating system, in code libraries used by enterprise developers, and embedded into commercial software packages. <\/p>\n
Avoiding open source completely is not an option, but blindly trusting the open source community to fix all mistakes is also problematic. <\/p>\n
One solution is to use automated code-scanning tools to scan code for known vulnerabilities and common programming errors. Fortunately, the automated tools are getting better every year. <\/p>\n
Trust, but verify Over the past few years, more than 5,000 security vulnerabilities have been found in open source code, according to the National Vulnerability Database. <\/p>\n
Ideally, a company would check each of these vulnerabilities against the open source software packages it uses, plus against the open source software used inside commercial packages, and even against pieces of code that their own programmers copied off the Internet. <\/p>\n
<\/p>\n