Having discussed this issue with them recently it is easier to see where they are coming from. Maintaining the latest version of software is the best way to improve security, and many people don't update their open source packages routinely.
But instead of looking at the glass as half-empty this Christmas, Palamida is offering the glass half-full approach. Specifically, they've got a list of the 25 most secure open source projects out there posted on their Web site.
There are what I'd call the "usual suspects" on the list (Eclipse, NetBeans, JasperReports). Projects managed by strong companies might afford Palamida services and focus on the security issue.
But there are also some surprises. I picked out a few:
- The Yahoo User Interface library. Who knew? Also note I found no Google projects on the list.
- Apache Derby. The Apache folks have so many fine projects it was surprising to see this little database engine as the only one listed.
- libpng, the PNG reference library. It lists just one dedicated maintainer and 8 contributors, proof a project does not have to be big to be secure.
I think of this as a Christmas stocking to all IT managers focused on security. Open it at your leisure. (Jaxrant hung this stocking on the virtual mantle last year.)