In the last few years I have gotten several press releases about the insecurity of open source.
A small and welcome industry has emerged around it.
One of the key problem is simple versioning. Many people and companies don’t keep their open source up to date, so when a security hole is later found it may go unpatched for years.
Rather than just kvetch about it, Qualys is offering a free, open source tool, called Blind Elephant, that lets you see the depth of the problem yourself.
The software describes itself as a “web application fingerprinter.” It discovers the version of the application you’re running by by “comparing static files at known locations against precomputed hashes for versions of those files in all all available releases.”
Among the least-updated (and thus least-secure) open source programs in Qualsys’ own analysis are Movable Type, Joomla and phpBB.
The solution is dead simple. Update. Get the latest version, make certain it’s pushed out to all your desktops, and manage things professionally. Just because you’re running open source doesn’t mean you don’t have a professional installation.
What I like best about Qualys is its attitude concerning all this. Rather than condemning what is happening, or use it just as an excuse for a sales call, the company has taken action. And its excellent Sourceforge page even includes links to Sucuri and WAFP, projects which do similar things.
I also understand no elephants were harmed in the creation of this software.
Dana Blankenhorn has been a journalist, writer and part-time futurist for over 30 years.
