Open source tools and applications can be as good as or better than their proprietary counterparts, according to a survey by Coverity. But aspects of open source make documenting everything absolutely critical.
Richard Weisinger cites in his article, “Open Source: The Good, Bad and Ugly…”, a report by Sonatype that points out the pitfalls of poor documentation. When developers use open source components but don’t track them, they’re unaware of bugs and security vulnerabilities that are found later. They’ve probably moved on to other projects, and the open source components are long forgotten. So, when problems in the component are found and fixed, the old, unsafe component remains behind, waiting to be found and exploited by malicious hackers. And security problems aren’t just issues for smaller and lesser known components: even such giants as Google Web Toolkit have had serious vulnerability problems.
The Threats of Open Source Tools
- Many of even the most popular components have flaws
- Global 500 corporations downloaded 2.8 million flawed components in one year
- Users lack an effective mechanism to discover flaws and fixes
- A single insecure component can compromise the security of hundreds of other components, and expose data to cyber attacks
Necessary though it is, documenting and tracking use of components is tedious and, quite frankly, a poor use of a talented developer’s time. It requires a different skill set than most developers possess. That’s why companies contract with QualityLogic to ensure their projects and their documentation are of the highest quality.
Open source tools are a great resource, and this issue doesn’t change that. But extra awareness and vigilance is required to ensure your implementation is safe and secure.