Is open source software safe to deploy? Damien Choizit has written a thoughtful opinion piece in Software Development Times in the aftermath of the Heartbleed OpenSSL debacle.
He writes, “the question on everyone’s mind is, ‘What does this mean for open-source software development?’ The truth of the matter is, Heartbleed wasn’t the real problem. Rather, it was with how we currently view and deploy open-source and outsourced code.”
Choizit goes on to blame, not the OpenSSL team, but the mindless OEM and ODM development teams who blindly use open source software with the assumption that it must be solid.
At Quadros Systems we have long been skeptical of the lemming-like move to open source without a commensurate look at what is really in the code. The lure of “free” software has blinded many to some of the inherent risks.
1. Does the ready availability of open source software and the ability by malicioius hackers to study it make it more prone to trapdoors and backdoors?
2. Do developers assume that because it is open source, thousands of others must have already checked out the code, so it must be safe?
In this new era of “the Internet of Everything” your embedded device may be more vulnerable than ever.