Open Source: these security flaws that go unnoticed at the expense of the community

Recently, experts have highlighted a fact that presents itself as problematic.

It's the fact that vulnerabilities that affect open source applications go unnoticed because of the limited resources allocated for their search and correction. We're talking about almost four years before these security vulnerabilities were discovered.

This article will also interest you: Windows XP: the source code of Microsoft's operating system available online

This is the result of the report entitled "State of the Octoverse" by the GitHub platform, which specializes in the development and hosting of open source software.

The advantage with Open Source software is that their developers allow all those interested in their work to view their source code, unlike those who allow consultation in exchange for the payment of a sum of money.

Because of the non-remuneration of the Open Source, the human resource is scarce. This makes it difficult to work on detecting and fixing security vulnerabilities.

For example, Heartbleed has been a software vulnerability that has been affecting the OpenSSL cryptography library since March 2012. This security flaw allows hacker operators to learn about a client server's memory to retrieve important data when communicating with the Transport Layer Security (TLS) protocol.

A long-term vulnerability affecting several Internet services was only discovered in 2014, and brought to the attention of the general public in April. Which means that the hacker had 2 years to exploit and study the security flaw from top to bottom. Thus exposing thousands of servers around the world. It was thanks to a volunteer researcher that the vulnerability was discovered. It would have been present in the OpenSSL repository when it was proposed to fix other security flaws with feature improvements. Clearly, it is a security flaw that was introduced by mistake. This kind of security flaw accounts for literally 83% of the vulnerabilities discovered on open source projects on the GitHub platform.

However, the microsoft platform report also states that 17 percent of the security vulnerabilities discovered were expressly introduced by people of bad intentions. A report entitled Risksense recently published that source security vulnerabilities are growing. And this is understandable by the fact that many IT projects nowadays are based on open source research. This increases the interest of people often maliciously intent.

"The security vulnerabilities of open source software sometimes go under detection radar for 4 years before being revealed due to weaknesses in the sphere's funding model," the report says. "The Open Source funding model is among the factors most likely to explain why security vulnerabilities within software go under the radar for such important periods. ».

Some initiatives are trying hard to support free software projects. These include the Core Infrastructure Initiative (CII). But of course, these projects are quite rare. The Core Infrastructure Initiative is one of the groups that alerted and reacted to the discovery of the Critical Heartbleed vulnerability in the OpenSSL library, being used by millions of websites. The problem with this initiative is that its scope is quite limited, because it will have to rely on external financial contributions in particular, coming from software owners, including Facebook, Microsoft, Oracle, VMWare, Comcast as the main ones.These same software owners who also fund the Linux Foundation and other similar projects. Financial assistance cannot be provided without consideration at a certain level. Because they then, because of their contribution, they have seats on the decision-making board, thus extending their control even in the world of free software. Bryan Lunduke says: "The immediate consequence is that the open source projects that receive funding are the ones on which their infrastructure relies in the majority. ». This puts aside those that are not used much by the same infrastructure that funds.

Now access an unlimited number of passwords: