[SC-L] security in open source components

Johan Peeters yo at secappdev.org
Tue Apr 24 16:22:08 EDT 2012


I was very happy to see
http://www.sonatype.com/Products/Sonatype-Insight/Why-Insight/Reduce-Security-Risk/Security-Brief.
Finally some attention to the elephant in the room; what is the use of
secure coding if your software depends on third party components with
flaws?
The paper makes some very good points on the general lack of
governance for open source components. It mainly focuses on the lack
of visibility and control of project dependencies. I.e. what does a
build pull in? Are these trustworthy components? Does the build select
component versions with flaws? Is any attention paid to security
advisories and dependencies updated to versions with the flaws fixed?
These points are important. However, I am also concerned about
component distribution.
How can I be sure that the binary component my build script retrieves
from, say, Maven Central is the one released by the relevant open
source project? I know there are checksums and such, but I remain to
be convinced that this typically affords adequate protection or that
it even could do so. If my fears are well-founded, current
distribution mechanisms of open source components provide the ideal
opportunity for installing back-doors on the server side.
I hope I am just being paranoid and the authors neglected to talk
about distribution because it is obviously secure. I certainly would
have been happier if distribution had been analysed and found secure,
or, even, not terribly insecure.
Does anyone else share these concerns? Or can anyone allay my fears?

kr,

Yo
-- 
Johan Peeters
http://johanpeeters.com


More information about the SC-L mailing list