Google Site Search


Friday, March 9, 2012

Open Source and Security Response

We live in a very interesting world. I term it interesting and not dangerous because I see a lot more good in this world than the bad. So unlike the media who love to portray the bad primarily, I would like to talk about  the good in the world.  A good in the world for the last few years has been Open Source.

Open Source has given many benefits to this world including:
  • Free alternatives to paid Operating Systems.
  • Free open alternatives to the Apple iPhone/iOS ecosystem.
  • Apache Software Foundation, JBoss community, Linux Foundation and other communities that have shipped and are shipping great free open source projects including Apache Httpd Web Server, JBoss Application Server, Linux Distributions etc.
  • Free alternatives to Microsoft Office Ecosystem.

Now let us look at Web Browsers. They have been our gateways to the Internet content. Of course, you need a ISP or a Wifi connection to get to the internet. But the browsers have been the main avenue to access the rich content that is on the internet. Browsers such as Mozilla Firefox, Google Chrome and Opera have been very beneficial to the world. All 3 of them take security of their users very seriously.

I was reading about Google Chrome getting hacked in less than 5 minutes (  Ok, it was not magic.  Definitely those guys had knowledge of some zero-day vulnerabilities, that they had not disclosed before, but used it to get to 60K. (Please read up on zero day at

Now let us talk about the value of Security Response to open source projects. Almost all major OSS foundations (Apache, JBoss, Linux etc) are backed by a proactive security response team who stay on top of vulnerabilities in their projects.

As the number of open source projects is on the rise, it is critical that you adopt a open source project that has an excellent security response team as well as provides newer versions of the project with the fixes. Also the ball is in your park to stay on top of newer releases.  If you are unable to manage the patches or get on newer versions of projects, then I suggest strongly that you adopt commercial versions of open source software such as the JBoss Platforms (EAP, SOA-P, EPP etc),  Hadoop (Cloudera/MapR/HortonWorks) etc because these are backed by a security response team, who will provide the necessary patches. Trust me, all software at all times will have at least one vulnerability. Software does not get created by magic but by humans who are prone to mistakes.

For this reason, I feel that the security response is a critical aspect for Open Source Choice and Adoption. Please visit Red Hat's Security Response for additional information: 
as well as understanding the role of open source and security.

We are currently at

No comments: