It's not unusual to find commercial software of one sort or another integrating open source. Jackson says one example is Sydney, Australia-based firm Atlassian which last summer publicly identified the Struts critical vulnerability in its software. He pointed out that Cisco also issued a security advisory last October related to Apache Struts remote-code execution vulnerability in its products.
It's often simple to identify sites built on open-source code such as Struts through a Google search, Jackson says.
Open-source code represents the modernization of software development, based on the idea of a "meritocracy" of achievement by software developers contributing into code they all share, Jackson says. But the downside is that "the ecosystem has treated open source like this huge sugar store, living off the sugar high of productivity."
One basic question about open-source is whether the organizations making use of it are even aware of it. "It's a fundamental problem," says Jackson. Sometimes it seems like the "bad guys are way more efficient than the good guys" in keeping track of open-source developments and usage.
Sign up for CIO Asia eNewsletters.