I was very happy to see http://www.sonatype.com/Products/Sonatype-Insight/Why-Insight/Reduce-Security-Risk/Security-Brief. Finally some attention to the elephant in the room; what is the use of secure coding if your software depends on third party components with flaws? The paper makes some very good points on the general lack of governance for open source components. It mainly focuses on the lack of visibility and control of project dependencies. I.e. what does a build pull in? Are these trustworthy components? Does the build select component versions with flaws? Is any attention paid to security advisories and dependencies updated to versions with the flaws fixed? These points are important. However, I am also concerned about component distribution. How can I be sure that the binary component my build script retrieves from, say, Maven Central is the one released by the relevant open source project? I know there are checksums and such, but I remain to be convinced that this typically affords adequate protection or that it even could do so. If my fears are well-founded, current distribution mechanisms of open source components provide the ideal opportunity for installing back-doors on the server side. I hope I am just being paranoid and the authors neglected to talk about distribution because it is obviously secure. I certainly would have been happier if distribution had been analysed and found secure, or, even, not terribly insecure. Does anyone else share these concerns? Or can anyone allay my fears?
kr, Yo -- Johan Peeters http://johanpeeters.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
