Working in Public: The Making and Maintenance of Open Source Software by Nadia Eghbal

Author:Nadia Eghbal [Eghbal, Nadia]
Language: eng
Format: azw3
Publisher: Stripe Press
Published: 2020-08-03T16:00:00+00:00

Publicly disclosed security vulnerabilities are listed in the National Vulnerability Database, which is maintained by the United States National Institute of Standards and Technology (NIST), and are identifiable by a Common Vulnerabilities and Exposures (CVE) ID. But not all vulnerabilities make it into the database.

Bigger projects might use a monitoring tool like Snyk or SourceClear to scan their code and notify maintainers of known security vulnerabilities, but the maintainers of smaller open source projects, frankly, often can’t be bothered. In 2017, GitHub added the option to receive security alerts for open source projects and their dependencies, focusing on a few major ecosystems, including JavaScript and Ruby. But seeing that there is a vulnerability in one’s dependency tree doesn’t mean a maintainer will take the time to address it. Some vulnerabilities are easily patched; others feel like more trouble than they are worth.

Even big companies are susceptible to inertia when it comes to patch­ing security vulnerabilities. In 2017, Equifax reported a security breach in which more than 140 million customers’ personal information was compromised, including Social Security numbers, credit card numbers, and addresses. The vulnerability was found not in the code that Equifax had written but in one of its open source dependencies, Apache Struts. The security vulnerability had been disclosed with a CVE ID several months before, and a patch had been released, but Equifax’s developers failed to update the company’s software in time.227

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.