Future Hosting, a VPS hosting and dedicated server hosting provider based in Southfield, Michigan, has warned developers of the security risks of using unmaintained open source projects in websites and applications.
Future Hosting advises companies that use open source components to create policies for the selection and monitoring of open source projects. At a minimum, they should check that every open source component is actively maintained and that its developers are responsive to security-related bug reports.
The warning follows a report from Black Duck Software, which showed how common it is for vulnerabilities to be introduced to applications via unmaintained open source projects (as reported in eWeek on April 21, 2017).
1,000 applications were examined and an average of 27 vulnerabilities were found in each, many in unmaintained open source components or from open source projects that don’t patch security vulnerabilities quickly or at all.
“We depend on open source software and so do many of our clients. Open source is an important part of the online economy, but businesses should be cautious,” said Maulesh Patel, VP of Operations, Future Hosting. “It’s all too easy to include an open source library or module that provides useful functionality, but that isn’t compatible with modern security and privacy standards.”
The recent discovery of critical vulnerabilities in the unmaintained Drupal References Module would provide a pointed example of what happens when developers don’t check the status of open source projects. References was installed on over 100,000 sites, creating “a far-reaching security risk that could have been avoided if Drupal users had spent a few minutes verifying the status of the project.”