Qualys does more than complain about insecure open source

Qualys does more than complain about insecure open source

Summary: Qualys is offering a free, open source tool, called Blind Elephant, that lets you see the depth of the open source versioning problem yourself.

SHARE:
TOPICS: Open Source
1

In the last few years I have gotten several press releases about the insecurity of open source.

A small and welcome industry has emerged around it.

One of the key problem is simple versioning. Many people and companies don't keep their open source up to date, so when a security hole is later found it may go unpatched for years.

Rather than just kvetch about it, Qualys is offering a free, open source tool, called Blind Elephant, that lets you see the depth of the problem yourself.

The software describes itself as a "web application fingerprinter." It discovers the version of the application you're running by by "comparing static files at known locations against precomputed hashes for versions of those files in all all available releases."

Among the least-updated (and thus least-secure) open source programs in Qualsys' own analysis are Movable Type, Joomla and phpBB.

The solution is dead simple. Update. Get the latest version, make certain it's pushed out to all your desktops, and manage things professionally. Just because you're running open source doesn't mean you don't have a professional installation.

What I like best about Qualys is its attitude concerning all this. Rather than condemning what is happening, or use it just as an excuse for a sales call, the company has taken action. And its excellent Sourceforge page even includes links to Sucuri and WAFP, projects which do similar things.

I also understand no elephants were harmed in the creation of this software.

Topic: Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • good idea... but

    anything that has to be checked out via subversion and built from source is NOT ready for the enterprise.
    A.Lizard