Ounce Labs, a software risk analysis company, has uncovered two security vulnerabilities in the Spring Framework.

Considering how long Spring has been in use, and its popularity, how could such vulnerabilities remain hidden so long? After all, isn’t one of the hallmarks of open source the strong community vetting? Could it be that the shift towards single vendor-driven open source is making open source riskier?

What the Spring vulnerabilities are

Kudos to Ryan Berg, chief scientist and co-founder of Ounce Labs, and Ounce team for uncovering the issues and working with SpringSource to raise awareness.

According to Ounce Labs:

The specific vulnerabilities are “ModelView Injection” and “Data Submission to Non-Editable Fields.” These vulnerabilities allow attackers to subvert the expected application logic and behavior, gaining control of the application itself, and access to any data, credentials or keys held in the application.

If your applications use the Spring Framework, be sure to read FAQs from the SpringSource advisory and the Ounce Security Advisory.

The deeper question on open source vetting

Now, the reason this story caught my eye:

“As we put more and more trust into the frameworks that are the foundation of our applications, we need to make sure we understand the security decisions made so we can make the right implementation choices.”

Two key benefits of OSS are the ability to read and understand the code we use and that “many eyes scouring the code” makes the product more secure.

Considering the millions of downloads of the Spring Framework, should we have expected someone to discover these security holes earlier? Or do developers use what the next guy/gal is using, trusting that “someone” has done the due diligence?

How should we interpret the news versus the long-held belief of increased security as a result of “more eyes scouring the code”? Could that be a trait of merit-based OSS projects that isn’t likely to show up in OSS projects where a single vendor writes the code?

If developers outside the company can’t contribute code, what is the likelihood that a developer will look at a piece of code within the project and ask, “How can I make this better?” — and in the process uncover a potential security issue?

I’m really asking a fundamental question: Are merit-based OSS projects more secure than single-vendor-driven OSS projects?


PS: I should state: “The postings on this site are my own and don’t necessarily represent IBM’s positions, strategies or opinions.”

Very cool OSS project for tracking and recovering your lost or stolen laptop.  It’s a project from the University of Washington.  This app sounds like a great way to address the 12,000 laptops lost per week at US airports.

The UW website states:

“Adeona is the first Open Source system for tracking the location of your lost or stolen laptop that does not rely on a proprietary, central service. This means that you can install Adeona on your laptop and go — there’s no need to rely on a single third party. What’s more, Adeona addresses a critical privacy goal different from existing commercial offerings. It is privacy-preserving. This means that no one besides the owner (or an agent of the owner’s choosing) can use Adeona to track a laptop. Unlike other systems, users of Adeona can rest assured that no one can abuse the system in order to track where they use their laptop. “

A very cool feature is using the iSight camera to take pics of the “user” after your laptop has been lost/stolen.  This feature is for Mac OS X, but Adeona is useful for laptops of all kinds.  The team is looking at Adeona for mobile devices.

Linux, OS X and XP/Vista are supported.

Btw kudos to: Ph.D. students Gabriel Maganis and Thomas Ristenpart, working with UW faculty members Tadayoshi Kohno and Arvind Krishnamurthy.