I read the article “Black Duck: Open Source ist allgegenwärtig - und gefährlich” (german article on heise.de). Now this article tells us that open source is dangerous. These are the main reasons given by the article:
- widely used
- not updated when bundled with an app
- Know-How lost (internal dev left the company)
I do not disagree with the result that this situation is dangerous but I disagree that this is related to open source software. Why? Because I saw it so many times in the last 18 years. There is a need for a small tool that gets implemented and never touched again. This is nowhere limited to open source:
- openssl (open source)
- third party like telerik, infragistics, etc (closed source)
- commercial components of any kind e.g. pdf generators, parsers, etc. (closed source)
- nuget packages of any kind when speaking of .net apps (open source and closed source)
- and so on…. When someone now calls open source insecure and dangerous, I call this a very limited and dangerous angle of view. Just because no one talks about security issue in such closed source components does not mean that there are none.
I also read more than one article about software maintenance and that this is not required because software does not getting older. So here the problems starts from my point of view. This is somehow true but also false. Normally a good written software does not start doing weired things. So if it worked, why change it? We do not change it because we learned “NEVER touch a running system”! :-)
Unfortunately the ecosystem around any application does not freeze and goes on with new features and potential dangerous situations. In my opinion a software needs maintenance and updates even if there are no features changed or added. And if you plan to work with containers like docker you get pushed any further in that direction. This is because a container is basically all dependencies of an application within one deployable peace of software. This can be really dangerous if one of the baselibs gets a security issue discovered.
How to solve?
There is no “one solution fits all situations”. Applications built by an internal IT department may have an advantage here. This is because the developers are part of the company and the know how can be kept up to date. The downside of an internal IT department ist that you have to argue for every bit of money to spend on a application.
So as a internal IT, you have to constantly push your team lead, project manager, boss or who ever is the owner of the app that such updates are important. This is the only chance of getting the time to maintain the product. You have to point out the risks and the potential damage such an issue may do to the company.
The often found situation with external IT providers is that they have a project team that implements the software. After go live this team has a new project oder gets split up to different tasks and does not care about the delivered application anymore. Even if they would, most of the time they are not allowed to because the customer does not want to pay any extra hours.
An external IT provider should also offer a service to the customer to check the used components and libraries for potential security issues and inform them about the findings. This does not have to be for free but should be part of a service level agreement or contract about maintaining the application. It has to be declared what the actions and costs are if a real security issue gets found and has to be fixed. Probably there is no urgent fix. In this case the fix can be bundled with another fix or feature request.
Not open source is dangerous. Unmaintained software of any kind is dangerous!
So my advice: Update your libs, external dependencies, components and other pieces of software you use. Even if it mostly is not a big issue today, it may become a real big issue tomorrow.