You have probably already heard or read about the security hole in the OpenSSL library used by many operating systems and other products. The importance is huge, and a web site has been setup to disseminate information about it at http://heartbleed.com.
Now that I have brought it to your attention I have been talking with colleagues about open solutions. Should we avoid them altogether due to the fact that being open anyone can get the source code for many solutions, and exploit it more effectively?
Or, instead, are there classifications of open systems software? What I mean by this, you could classify some open systems tools as a higher risk than others. For example, I use NUnit all the time. The I would consider the risk for using NUnit to be extremely low. But what about other open tools such as some of the NoSql libraries such as Cassandra? What is the risk of someone capturing sensitive data from an open data persistence tool?
Would you consider many of the open tools to be much lower in risk because they are contained within your DMZ, opposed to something like OpenSSL which must be exposed to the entire internet?
Are we missing something when it comes to making a security assessment against some of these tools? Do you still have similar risks with commercial tools?
Feel free to drop me a note with your thoughts at btaylor@sswug.org, or get into the conversation here online.
Cheers,
Ben