Qualys does more than complain about insecure open source

Summary:Qualys is offering a free, open source tool, called Blind Elephant, that lets you see the depth of the open source versioning problem yourself.

In the last few years I have gotten several press releases about the insecurity of open source.

A small and welcome industry has emerged around it.

One of the key problem is simple versioning. Many people and companies don't keep their open source up to date, so when a security hole is later found it may go unpatched for years.

Rather than just kvetch about it, Qualys is offering a free, open source tool, called Blind Elephant, that lets you see the depth of the problem yourself.

The software describes itself as a "web application fingerprinter." It discovers the version of the application you're running by by "comparing static files at known locations against precomputed hashes for versions of those files in all all available releases."

Among the least-updated (and thus least-secure) open source programs in Qualsys' own analysis are Movable Type, Joomla and phpBB.

The solution is dead simple. Update. Get the latest version, make certain it's pushed out to all your desktops, and manage things professionally. Just because you're running open source doesn't mean you don't have a professional installation.

What I like best about Qualys is its attitude concerning all this. Rather than condemning what is happening, or use it just as an excuse for a sales call, the company has taken action. And its excellent Sourceforge page even includes links to Sucuri and WAFP, projects which do similar things.

I also understand no elephants were harmed in the creation of this software.

Topics: Open Source


Dana Blankenhorn has been a business journalist since 1978, and has covered technology since 1982. He launched the Interactive Age Daily, the first daily coverage of the Internet to launch with a magazine, in September 1994.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.