A few years ago, when I was getting my feet wet on the open source beat, open source could claim “security through obscurity.” Desktop Linux was a joke, many open source projects had only a few hundred or few thousand users, everyone knew the big illegal opportunities lay in compromising Microsoft software and systems.
That's not true any longer. Consider the recent directed attack against Sourceforge a wake-up call.
Now, don't get me wrong. Microsoft remains a target. “Patch Tuesday” is an important date on every sysadmin's calendar. It comes as regular as happy hour. (Call it unhappy hour.) But open source is also a rich target environment for evil-doers. For good reasons.
- There's more open source out there than ever before. Linux' market share is ginormous.
- Who needs “desktop Linux” when you have Android? Holy market share.
- Many open source sysadmins just aren't careful.
This last may be most important.
Black Duck has long been concerned with open source security. It's why they bought Spikesource last year. The sad fact is many companies which use open source don't update their software as they should. If you're running old code, it's far more likely to be insecure, to have unpatched vulnerabilities bad guys can exploit.
And there are lots of bad guys out there.
Sourceforge has not been the only big repository targeted. Fedora, the Red Hat community Linux, was attacked as well. This attack appears to have been more limited , seeking a single password, which could have been then used to do some real mischief had it not been discovered. An attack against the server hosting ProFTPD , an important file transfer project, went undetected for three days, and included installation of a backdoor allowing root access to unauthenticated users. The Free Software Foundation's GNU Savannah repository has been attacked. So has Apache.
You get the picture. Bad guys are on the march. Open source is no longer obscure. Which means you need to take the same precautions Microsoft sysadmins have been forced to take. Secure your systems, and just as important, make sure all your open source software is up-to-date and as secure as its makers can make it.
Don't be the next victim.