The problem is that there is no centralized place where people keep track of all the different versions of the library. "Once it's working, they don’t go back and keep those up to date. When a vulnerability is found, they update with new versions. Your product becomes more and more vulnerable because it's inheriting all those vulnerabilities," Eng said.
Not keeping track of what they are using or keeping their products up to date is more a function of the lack of a centralized process rather than a technical challenge.
Eng said, "Adding open source doesn’t make this problem any better or worse. There is an old myth that because open source projects are freely available and anybody can look at the source code that so many eyes means bugs will get patched."
This myth has shown time and time again not to be true. "Even a lot of eyes are not necessarily equipped to find security issues. I would caution anybody looking to go more toward open source because they think it’s more secure because it is not," Eng said.
It's important to know who is backing it, how many developers are behind it, and how widespread is its use. "Understand what is going into your software. Keep track of what vulnerabilities are being discovered. There are a lot of known vulnerabilities out there," Eng said.
Sign up for CIO Asia eNewsletters.