On 13/2/22 3:38 am, Itschak Mugzach wrote:
If someone develops code that is vulnerable, only the organization he works
for is (potentially) affected and the attacker does not have access to the
code to play with. With open source, the code is accessible to everyone,
and the problem hits millions of organizations.
Are you sure the attacker doesn't have the code? A huge percentage of
hacks come from insider threats. In the case of Solar Winds the attackers
had the code and access to the build pipeline.
The problem is not the vendor that makes use of open source, it is the fact
that when the vulnerability is discovered, there is a time window until it
is patched. And this is only if it was discovered by an ethical bug hunter.
Log4Shell was discovered by a security researcher at Ali-Baba.
Shellshock, Heartbleed, Meltdown etc were discovered by security
researchers at Google.
The difference with IBM or companies is that they don't disclose
vulnerabilities. You probably think that's a good idea. In truth, if
those vulnerabilities are there, especially
on public facing networks there is just as much chance of a breach.
This is why I am not impressed (but do appreciate the effort) by the tools
David and his company uses. They do their best,
They do find vulnerabilities. They are amazingly smart and can detect
when you open a secure TCP connection and don't authenticate the
hostname which could result in a MITM attack. That could be considered
a 0-day.
but it will not help in
case of a zero date and the scale of an open source vulnerability is
unlimited compared to a specific local code, bad as it is.
What about the scale of a vendor product, such as IBM Data Risk Manager?
A security research found 4 0-days and a sackful of other
vulnerabilities and IBM refused to accept the report until
the researcher went public. IBMs customers are enterprises such as banks
and insurance companies.
https://www.ibm.com/support/pages/security-bulletin-ibm-data-risk-manager-affected-multiple-vulnerabilities-4
The security researcher in this video
https://www.youtube.com/watch?v=q8mFhDmBEIc claims to have found > 10
0-days on z/OS by exploiting buffer overflows in APF-authorized C programs
by overlaying R14 with his exploit code. I can't verify the veracity of
this claim but it seems plausible. It's the same technique used in the
Logica breach. Last time you scoffed at that and asked
if there had been a breach. So I guess that 0-days are acceptable unless
there has been a breach, or did I misunderstand you?
The funny thing is that although millions of eyes look at "open source" (as
Chrles mentioned) they rarely find the vulnerability in a very
common, highly used code (such as log4jv2 that has been here since
2012...).
Saying that, open source is here to stay. Just don't wait for the vendor to
report on vulnerabilities. Scan it yourself frequently.
My two israeli shekels cents (Actually called "agorot").
ITschak
*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
and IBM I **| *
*|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|*
*Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|*
On Sat, Feb 12, 2022 at 7:04 PM Charles Mills <[email protected]> wrote:
Nobody asked me, but I think David buried the most important point in the
middle. I have seen lots of TERRIBLE code written by "engineers from big
tech." That's not the key point. The key point is
the code is in the open and can be scrutinized by millions of people
There are thousands (if not millions) of people, ranging from high school
code nerds to professional security consulting firms, hoping to make a name
for themselves by being the first to spot some vulnerability in Apache, the
Linux kernel, etc. That is an incredible free code inspection service. That
is the key to the security of open source (IMHO).
You can't say that for most in-house software. You all know what corporate
culture is like. #1 your boss is not paying you to scrutinize other
peoples' code. And #2 if you spot some flaw in Bob's code you keep your
head down, because Bob is such a grump and does not take criticism well.
And BTW this is coming from someone (me) who is basically a proprietary
software guy. I made my money writing conventionally-licensed proprietary
software. I have never contributed to an open source project.
Charles
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On
Behalf Of David Crayford
Sent: Friday, February 11, 2022 11:39 PM
To: [email protected]
Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem'
On 12/2/22 4:56 am, Radoslaw Skorupka wrote:
Well, who said it is not a problem???
I do. I maintain that proprietary code has just as many vulnerabilities
as open source. In fact, I would suggest that open source code is better
as the standard of engineer tends to be much higher than your average
Joe coder working for a bank. Also, the code is in the open and can be
scrutinized by millions of people. Who do you think develops open source
software? Is it hobbyists, enthusiasts, students, academics etc? The
truth is it's mostly engineers from big tech who are getting paid to
develop open source. Check out the authors of Apache Commons components
and it's IBMers
https://github.com/apache/commons-bsf/blob/master/AUTHORS.txt. IBM were
the organization that stumped up the cash and resources to develop
Eclipse. A huge amount of Apache open source code is written and
maintained by IBM and it's used extensively in their products.
It sounds like "open source is free of bugs". However I have never
heard such claim.
Nobody is saying that. That would be ignorant and stupid. All software
has bugs.
More: companies use some kind of whitelisting open source software. In
many cases software developer is not allowed to use "fancy, shining
code" just because there some requirements are on met. It can be
community, reputation, maturity, etc.
How can a company whitelist open source software if they purchase a
product from a vendor or IBM that uses open source? As our products are
sold and marketed by IBM we provide them with a Certificate of
Originality which is a bill of materials that lists all of the open
source software (with versions) that we use. We scan all of our products
as part of our DevOps pipeline. There are three types of scans:
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
