Open-Source code is unsafe and risky because of its rampant use, claims report

[Gandalf_The_Grey]

Content source

https://www.neowin.net/news/open-source-code-is-unsafe-and-risky-because-of-its-rampant-use-claims-report/

Open-source software has been increasingly popular among developers and tech companies. However, the unrestricted deployment of open-source code is steadily becoming a security risk, claims a new report titled “The State of Open-Source Security”.

The research from developer security firm Snyk and the Linux Foundation claims more than a third of the organizations don't have high confidence in their open-source software security. Speaking about the report, Matt Jarvis, director of developer relations at Snyk said:

Software developers today have their own supply chains -- instead of assembling car parts, they are assembling code by patching together existing open-source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns.
This first-of-its-kind report found widespread evidence suggesting industry naivete about the state of open-source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue to build fast, while also staying secure.

The research claims an average application development project has 49 vulnerabilities and 80 direct dependencies. Moreover, the time it takes to fix vulnerabilities in open-source projects has steadily increased. Back in 2018, it took on average 49 days to fix a security vulnerability. In 2021, it takes about 110 days to develop a patch.

 

[rain2reign]

The research claims an average application development project has 49 vulnerabilities and 80 direct dependencies. Moreover, the time it takes to fix vulnerabilities in open-source projects has steadily increased. Back in 2018, it took on average 49 days to fix a security vulnerability. In 2021, it takes about 110 days to develop a patch.

So it's not just, because of its rampant use. But also because of their lack of contributors. You can find all the loopholes you want, but if there are not enough developers to fix them, of course it's going to be insecure. The same can be said the other way around. I do notice there is an increasing amount of 'issues' reported in the Linux community in recent years. Does this mean, it has become insecure due to keeping up with increasing demand? No... Just means, unlike years ago, there are just that many more eyes inspecting the source code. It was always "as insecure", just not interesting enough for a great number of people to actually inspect and dive into it.

Similar reason, there have been more malware reported for Linux. It was just not interesting enough in the past....yet. Now that open source has been embraced, of course you are going to find a lack of developers to tackle the issues. Not to mention the fact that more than half of these projects never push their fixes upstream, as it should, nor honour the licence that came with the original source code. Especially that last bit, is an issue in the current open source environment.

 

[Brahman]

An un-patched non developed open source application is far more a security threat than an un- patched closed source application. Use your senses before deploying any such software. Use only the ones which are actively developed.

 

[upnorth]

there have been more malware reported for Linux.

It's dead easy to find malware for Linux on repositories.

 

[rain2reign]

It's dead easy to find malware for Linux on repositories.

The problem i usually have is that Linux users tell me "its safe, there has never been/is no proper malware" and then start cursing at you for insinuating.

 

[shmu26]

Can someone link me to instances of linux home users becoming infected in recent years? There is plenty of linux malware, that is clear. But from what I have read, it targets servers, rather than home users. I would give up linux if there is documentation that malware poses a significant real-life threat to home users.

 

[AG3S]

When it comes to the Malware and in general security Linux IS more secure .. HOWEVER!!!! this sentence is more for advanced Linux users and not the normal users who would like to use Linux as their main driver.

Why?
I am not an advanced user but I am using Linux for more than 10 years (in addition to Windows and MacOS). The positive fact about linux is that unlike Windows and Mac you have the power! that means you can specify which app has access to what and how.

For example when I find an app that I really need but I am not sure about the developer, I install it in a sandbox and give the access of the downloads folder to this app only. Now, even if this this app has 0-day malware in it, I will not be that affected. In Windows and Mac you can not have such features (as easy as Linux). But as I mentioned normal users are not aware of such functions.

In addition the second problem of Linux are the repositories which are can be added by the end users easily. Most of the repositories do not have a thorough inspection of the submitted apps (even Flathub). And IF Linux has an Apple-Like (or F-Droid-Like) inspection team so that they check all the apps before releasing them, then I would say... Linux is the safest OS.
This is for both Server and Desktop versions of Linux.

But personally I believe if you know what you are doing and select a reputable distro and desktop, you are relatively safer than other OS. I have much more productivity with Linux compared to Windows and I got used to it very fast.

If someone asks me that he or she want to move to Linux, I would tell him/her.. please increase your knowledge regarding Linux a little and also do not install apps from any source (which it is really difficult to do as a new user.

I am personally using POP_OS and ZORIN OS. I set all the FlatHub apps not to have access to anything but my Downloads folder... This might make the life of some people very difficult... but this way I can rather say... I am a little more secure than Windows and Mac

 

[Brahman]

Can someone link me to instances of linux home users becoming infected in recent years? There is plenty of linux malware, that is clear. But from what I have read, it targets servers, rather than home users. I would give up linux if there is documentation that malware poses a significant real-life threat to home users.

Any Linux distro be it Debian derivative or Arch is far more secure than windows provided you stick with the apps that its app store provides. The minute you add a 3rd party repository you are inviting a potential risk. For an average home user, to get infected you should really hunt for a virus and then know how to give necessary permissions to the file you have downloaded to run it and then in the last step type your sudo password to finally run it. So its not that easy to get infected on your linux distro, a single dumb act can't get you infected at all, it needs a series of dumb acts. But that being so, you are not supposed to add 3rd pary repos or compile scripts from unknown github repos on your distro. Take care with 3rd party repos, even if the chances of being infected is slim, information theft can be done pretty easily which in itself is far more serious than a virus infection.

 

[shmu26]

Any Linux distro be it Debian derivative or Arch is far more secure than windows provided you stick with the apps that its app store provides. The minute you add a 3rd party repository you are inviting a potential risk. For an average home user, to get infected you should really hunt for a virus and then know how to give necessary permissions to the file you have downloaded to run it and then in the last step type your sudo password to finally run it. So its not that easy to get infected on your linux distro, a single dumb act can't get you infected at all, it needs a series of dumb acts. But that being so, you are not supposed to add 3rd pary repos or compile scripts from unknown github repos on your distro. Take care with 3rd party repos, even if the chances of being infected is slim, information theft can be done pretty easily which in itself is far more serious than a virus infection.

I would not be surprised if risky apps could be found on the Arch User Repository (AUR), which is community-maintained, without any draconian supervision, and it is officially a use-at-your-own-risk software source. On the other hand, the installation script is displayed right before your eyes, before it is installed, and a skilled user can train himself without too much effort to identify suspicious entries. There are YouTube videos about it.
But I never saw a user posting on the Arch forum or the Manjaro forum for help because he thinks he got infected by an iffy app from AUR.
Most repositories, with the exception of AUR, are pretty well maintained nowadays, AFAIK.

 

[monkeylove]

I think all operating systems are vulnerable, and that won't be known unless malware authors exploit them. The latter will also generally not target systems that aren't widely used because it's not worth the effort to do so. Finally, the more features available, the greater the possibility for vulnerabilities. These features may involve combinations of new software and hardware.

Usually, the more features available, the more popular the system. In addition, the more long-term and paid development will be needed to make drivers and software for new hardware. And with more vulnerabilities, more and/or better security will also be needed. And if that takes up computer resources, then hardware must be improved to maintain performance, if not make it better.

With more features, software, and hardware availability and choices, the more need for updates, with that, dedicated support and technical teams. Ultimately, dedication plus availability, especially for important reasons, means available funding.

Finally, most people are regular users, and cannot be expected to take care of problems by themselves. And even those who can might not have time to do so.

Thus, the claim that this or that is more secure is questionable.