Geek Answers Handbook

Is an open source web application more prone to hacking?

In a recent interview I was asked:

An open source web application (such as built on Struts / Spring) is more prone to hacking, as anyone can access the source code and modify it. How do you prevent it?

My answer:

The java source code is not directly accessible. It is compiled into class files, which are then inserted into a war file and deployed to a secure container, such as a Weblogic application server. The application server is located behind the corporate firewall and is not directly accessible.

At that time, I didn’t mention anything about XSS and SQL injections, which could affect a COTS-based web application similar to open source.

My questions:

a) Is the answer to the question correct?

b) What additional items can I add to the response?

early.

EDIT:

As I digest your answers, let me also point out that the question also had in mind such frameworks as Liferay and Apache OFBiz.

+7
java security web-applications
source share
4 answers

The question is a hidden security argument through obscurity. I suggest you read the usual pros and cons and see how it fits:

My personal opinion is that obscurity is, at best, the weakest layer of defense against attack. This can help filter out automatic attacks by uninformed attackers, but this does not greatly affect a decisive attack.

+16
source share

a) Is the answer to the question correct?

The part that the source is unavailable (change it) because it is compiled and deployed where it cannot be touched is not a good answer. The same applies to non-open source software. What was done against the open source stack is that the source is readable, which will simplify the search for vulnerabilities that could be used against the installed application (compiled or not).

The point about the firewall is good (although this does not apply to open or closed software).

b) What additional items can I add to the response?

The main security argument through obscurity (which was the argument here) is that with open source software, many other people will look at the source to find and fix these problems.

as anyone can access the source code and change it.

Are you sure this is what they said? Change it? Do not "learn it"?

I don’t see how anyone can just change the source code for Struts ...

+5
source share

The popular open source web infrastructure / CMS / library is less likely to have terrible errors in it for a long time, as there are many people who look at the code, find errors and fix them. (Please note that for this it is important that your data is updated.)

Now your friend has a tiny moment - anyone who can fix the mistakes can also introduce them if the project is managed by a bunch of idiots. If they take stains from any random hmyk without looking at patches or do not know what they are doing in the first place, errors can be introduced into the structure. (It doesn’t matter if you do not update regularly.) Therefore, it is important to use one that is decently supported by people who have the key.

Please note that all issues with open source frameworks / applications also apply to COTS. You simply don’t know about the errors in the latter, after bugtraq and other similar lists publish them, as large companies like to pretend that there are no errors in their software and they are forced to respond.

+2
source share

a) Yes. Open source does not mean open binaries :) The sentence "anyone can change the source code" is simply wrong (you can change your copy of the code, but you cannot edit the Apache Struts code)

b) Perhaps the fact that the source code is visible makes it easier for someone to see the possible flaws that he can use and use them. But the same argument works differently: as many people look at the code, flaws are discovered faster, so the code is more stable at the end.

+1
source share

More articles:


All Articles