Does your boss read garbage like this?
cmw.osdude 120000QT77 Visits (2234)
I've still been fighting to get my life back to normal after SXSW 2012. If you missed out on all of that you can still catch up on the action from the developerWorks team at the developerWorks SXSW Adventure 2012. I've also uploaded my live video broadcasts from that week onto my YouTube channel. There will be more broadcasts in the future. Right now I just need to type this out without worrying about how my hair looks. (I'm afraid I'll never trulhy have TV hair.)
Open Source summons demons and creates flesh eating zombies
I hesitate to point you to the source of my rant, and I'm afraid it's going to be a rant today, because it will add hits to their site and make them feel that people want to see more of this garbage. I've got it! I'll point you to a cached version of the article.
Are they saying that open source software is more plauged with security flaws than commercial software? No. Are they saying that open source developers refuse to consider security when they develop? No. Are they saying that open source developers are less skilled at security than commercial developers? No.
They are saying that developers who use open source projects don't always keep up with the latest version of libraries to take advantage of the security updates, or that they let their code stagnate on older versions of a library. I know I'm probably knee jerking on this, but I'm really irritated at this sort of sensationalized approach to talking about good IT and development habits. The truth is that in general open source projects do a pretty good job of keeping up with security vulnerabilities if there is sufficient interest to keep the project running. True, some projects decline, but I'm sure there are people running older versions of commercial software who haven't updated either. (Are you telling me you've never seen someone running an application on something like Foxpro 5 because the guy who wrote the project is long gone and they don't have anyone else to update it? Besides... it's working just fine.)
The real point that is being made here is that if you are going to be security conscious you must be update conscious as well. If, as an individual developer or company, you decide that it is too much trouble to keep something up to date then you probably should stop distributing it, or open it as a community project so that others can step in and pick up the slack. As a user, if you find that you cannot use a product because it requires you to load back-leveled libraries to make it work, you should become suspicious and factor that into your decision.
Software is a constantly moving target. The best way to keep yourself up-to-date is to use a distribution that has a supported automatic update system, and only use projects that fit into that scheme. I use Ubuntu, which has an excellent package system. Red Hat and SUSE have good ones too. For the most part, the projects that I really use are either a part of that repository or support me adding their own site to my update list.
One should also factor the risk. Many pieces of software have unusual vulnerabilities. If you look at hacking sites you find some really strange and surprising ways that software can be compromised, but often under very specific conditions. The trick is to get the user to create those conditions or find where they exist. Awareness that bad things can happen and paying attention to the warning signs will keep you out of a lot of trouble.
If I titled that article it would say "Lazy system administrators and developers propgate security flaws". I think that's a little closer to the truth.