A few years ago, when I was getting my feet wet on the open source beat, open source could claim “security through obscurity.” Desktop Linux was a joke, many open source projects had only a few hundred or few thousand users, everyone knew the big illegal opportunities lay in compromising Microsoft software and systems.
That's not true any longer. Consider the recent directed attack against Sourceforge a wake-up call.
Now, don't get me wrong. Microsoft remains a target. “Patch Tuesday” is an important date on every sysadmin's calendar. It comes as regular as happy hour. (Call it unhappy hour.) But open source is also a rich target environment for evil-doers. For good reasons.
- There's more open source out there than ever before. Linux' market share is ginormous.
- Who needs “desktop Linux” when you have Android? Holy market share.
- Many open source sysadmins just aren't careful.
This last may be most important.
Black Duck has long been concerned with open source security. It's why they bought Spikesource last year. The sad fact is many companies which use open source don't update their software as they should. If you're running old code, it's far more likely to be insecure, to have unpatched vulnerabilities bad guys can exploit.
And there are lots of bad guys out there.