How many of your projects include open source software? Maybe it is better to call it free software. As a person who has spent time in the corporate world, I get the idea of using open source software. Much of it is free or at very low cost. However, is it secure and how do you go about proving that it is secure? For example, OpenSSL had the Heartbleed vulnerability in it for some time before it was discovered and disclosed.

If you are using a piece of software that was not written by your own company, how do you not realize that this software may have vulnerabilities in it that have not been discovered or disclosed? Make sure you find out, either by doing the work yourself or through a third party. We have had many companies tell us not to worry about the results from the open source software because it was not their software and they cannot or will not fix it. If you find vulnerabilities in this open source software, make sure you address them or at least mitigate them.

Right now, I am in the middle of a code review for a company that is using an open source framework. I looked it up and the framework has not been modified since July 2012. The framework they are using is full of vulnerabilities, including SQL Injection and cross-site scripting (both persistent and stored). If the person who wrote this code could do it wrong, they did. Out of the 10,000+ vulnerabilities found by the automated code review tool, almost 80% were for the framework.

For this company I am doing the code review for, I am going to recommend working with the framework’s author to address these vulnerabilities or to try to find a different framework. Maybe one that has been updated recently. I am also going to recommend they look at implementing a web application firewall. If not, they are going to have problems.

This framework is a good example of what not to do. Security vulnerabilities, attacks, programming languages, and tools have evolved to make your application much more secure, but your developers need to understand the concepts of secure coding techniques. You also need to evaluate the frameworks you are using and not assume they are safe.