The Hidden Threat Lurking in an Otherwise Secure Software Stack

126

All it takes is a fork from the main branch and a re-branding of the code, and the next thing you know, there’s a hidden threat in your software. Here’s how to protect against it.

“One of the aspects of open source is that it can be forked,” said Tim Mackey, the Technical Evangelist for BlackDuck Software. “If you look at GitHub today and look at the OpenSSL project, you’ll see that over 2500 or 2600 different OpenSSL forks have occurred,”  If a vulnerability in the OpenSSL system occurs, as it did when the Heartbleed bug rose to fame, only the mainline, unforked version of the project will be tagged as being problematic. If the Docker container you downloaded is using a forked version of a piece of open source software, or your cloud computing stack uses a highly customized derivative, you may very well have a hidden threat buried within your system that you won’t be able to identify before hackers identify it for you.

 

Read more at ServerSide