A recent round of flaws discovered in open-source software has reignited concerns that security is getting bypassed in the rush to continue expanding the large and extremely popular code base used by millions.
For instance, although the Java-based Spring Framework was criticized by security researchers in January as having a major flaw that allowed remote-code execution by attackers against applications built with it, the updates to Spring this week don't address this security problem.
"Unfortunately, this is the way a lot of open source vulnerabilities go," said Jeff Williams, CEO at Aspect Security, which pointed out two months ago that the "expression-language" feature in Spring should be disabled until the issue related to potential remote code execution is remediated. But the updates to Spring out this week don't address this problem, though they do expand Spring functionality. Spring Framework is managed under SpringSource, a division of VMware.
"They are busy with actual functional stuff and so their incentives are always to minimize the importance of security issues," said Williams.
However, other researchers counter that the focus on security varies considerably across free or open-source software communities and many of them, in fact, do a good job in addressing security issues.
"It's handled very different between open-source projects," said Vincent Berg, researcher at security firm IOActive. "There are projects that have a very active approach to it. The big Linux distributions and the different BSD flavors tend to do a pretty good job." The Ruby on Rails Web application software project also recently moved quickly to make needed updates for security purposes, Berg said.
He says his impression is that better handling of security issues in open source seems to come from those that provide users with mailing lists about security which users are advised to subscribe to, and "most of these distributions have dedicated security contacts."
"These contacts can generally be reached by a dedicated security mailing list, which tends to be non-public," he said. After analysis, there's an effort to reach agreement on whether there's a security-related issue and fix it.
Berg also says projects like Debian and most other big Linux distributions and FreeBSD seem to usually report bugs that are reported to them to "upstream package maintainers."
"Say someone reports a bug in Firefox not to the Firefox people but to the Debian people then the Debian people will handle it as their first point of contact but they will loop in the Firefox folks to determine a joint approach," said Berg.
"A project like Firefox uses their standard bugzilla bugtracker and I've got personal experience with reporting security bugs to them," he said. "They tend to be really fast in responding to a bug report (security bugs will be marked private as default so that only the reporter and the security team can view it)" before delivering the bug fix.
Sign up for CIO Asia eNewsletters.