More recently, the realization that national governments are able to require their native companies to build backdoors into both hardware and software products has given a boost to this argument: without reverse engineering many millions of lines of code, it is virtually impossible to detect a proprietary backdoor. Conversely, faults, flaws and bugs are, in theory, clearly visible in FOSS.
But theory and practice rarely align in reality. Rapid7 has published a new two-part report on vulnerabilities found by Metasploit contributor Brandon Perry in seven FOSS products downloaded from SourceForge. Part Two of the report (written by Perry) discusses the vulnerabilities in detail; Part One (written by Metasploit engineering manager Tod Beardsley) discusses some of the conclusions and recommendations that can be drawn from the exercise.
"Brandon easily found exploitable vulnerabilities in 7 of the most popular applications on the open source download site, SourceForge. Collectively, these applications have been downloaded nearly 16 million times," announced Rapid 7 this morning. But the real problem is not the existence of the bugs, but the difficulty in getting them fixed even though they are within open source projects.
Perry found vulnerabilities in Moodle, vTiger CRM, Zabbix, Openbravo ERP, ISPConfig, OpenMediaVault, and NAS4Free. He developed exploits and reported his findings to the projects concerned; but at this time, only two have been fixed. The Moodle vulnerability disclosure timeline is typical: vulnerability discovered early August; dsiclosed to vendor late August; publicly disclosed (unfixed) late October. Moodle has been downloaded from SourceForge more than 4.5 million times.
Beardsley's conclusion is that the real problem lies in the way open source projects accept disclosures and handle vulnerabilities: "the actual business of disclosing vulnerabilities to the software developers directly was... circuitous," he wrote. "Across these seven projects, I found there were at least seven different approaches to handling incoming vulnerability reports."
While big open source projects such as Apache and Mozilla have well-defined and effective processes, "the majority of smaller applications lack the same level of community participation and typically have little in the way of security processes in place (security open source projects aside)," says Rapid7.
Beardsley's proposal is an 8-point vulnerability checklist, ranging from an easily guessable, preferably standard reporting point (such as 'security@yoursoftware.com') to issuing a patch and a disclosure. In the middle is 'acknowledge receipt'. "If you are getting a disclosure for free you should be polite and acknowledge receipt. The vulnerability discoverer is playing by the rules, so you should make the effort as well. Worst case, you don't respond, and the discoverer just dumps his findings on Full Disclosure."
Earlier this month, Google recognized and tried to address the same problem by launching a 'vulnerability reward program' specifically for the open source market: "financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug."
"Google's new Patch Reward program is a great step towards helping make open source software more secure and giving back to the community," Christian Kirsch, product marketing manager at Rapid7 told Infosecurity. But Rapid7's approach of discovery and disclosure via Metasploit is equally valuable. "This is what Rapid7 did yesterday with the disclosure of security issues for the 7 most popular SourceForge projects. The fact that there is no overlap between these projects and the ones covered by Google shows that this is a very broad field.”