back to article Open-source bug bonanza: Vulnerabilities up almost 50 per cent thanks to people actually looking for them

The number of vulnerabilities in open source projects surged almost 50 per cent in 2019, according to security biz WhiteSource, which can be seen as good news in the sense that you don't find what you're not looking for. In its annual vulnerability report, the biz attributes the growing vulnerability count with increased …

  1. Charlie Clark Silver badge

    Why does Python consistently have a relatively low number of exploits?

    Hopefully, this is a result of secure coding practices and not lax security research for Python projects

    Some credit could also go to the design of the language and the conventions this encourages. The core language itself is small, which makes testing easier, while the standard library provides lots of key functionality with less of a need to reinvent the wheel – though this still happens of course. The focus on readability comes from an appreciation that code will probably have to be maintained by someone other than the author. Strong but dynamic typing means fewer gotchas due to automatic type-casting, though mutables still pose problems, whilst allowing short, expressive and flexible code.

    But no resting on our laurels, though!

    1. alain williams Silver badge

      Re: Why does Python consistently have a relatively low number of exploits?

      It is misleading to compare levels of bugs between languages and assume that it is down to features of the language, libraries, etc.

      The other big variable is the type of programmer who use different languages. Eg PHP is much easier to do something simply than Python and so is used by less skilled and less capable programmers. These 'lesser' programmers are going to make mistakes that better programmers would avoid.

      However: finding the skill levels of the programmer and then comparing what they produce in different languages is almost impossible to do.

      1. Charlie Clark Silver badge
        Stop

        Re: Why does Python consistently have a relatively low number of exploits?

        PHP is much easier to do something simply than Python and so is used by less skilled and less capable programmers.

        This is nonsense, especially with Python's interactive mode and tools like Jupyter notebooks. In fact, Python's ease of use for non-programmers is one of the reasons why it's become so popular in areas like statistics and biology. The only thing it's easier to do in PHP is create a dynamic web page, though this is largely down to the implementation of mod_php than anything in the language itself.

  2. steelpillow Silver badge
    Facepalm

    Forking NVD

    Well there you go, you put your Open Source related info on a US Government database built on a proprietary stack and lo and behold! it ain't fully maintained. Deeply shocking!

    I mean, c'm on guys, remember that Open Source is not about the software, it's about the business model? And it's international? Well, so is vulnerability, right?

    The no-brainer in the room is a FLOSSVD maintained by the global FLOSS community.

    1. Dan 55 Silver badge

      Re: Forking NVD

      You know what it's like as soon as any software can be classified as 'government' or 'enterprise', it suddenly becomes set in stone and never changes for decades.

      1. phuzz Silver badge

        Re: Forking NVD

        "I need to patch the server because of this new vulnerability, when's a good time?"

        "Will this result in downtime?"

        "Well yes, about five seconds while I restart apache, but overnight we only get one or t-"

        "NO! Unacceptable! No downtime at all! You can have scheduled downtime in six months"

        And it never gets patched.

    2. Michael Wojcik Silver badge

      Re: Forking NVD

      You mean like OSVDB (2004-2016) or VULDB (2017-present)? Though I guess there's no easy way to find out if this idea had already been tried.

  3. Claverhouse Silver badge
    Linux

    A Warning From History

    Again a showing on the dangers of Open Source. Looking at closed proprietary sourced models it is salutary to realise Windows has never had even one vulnerability.

    1. Snake Silver badge

      Re: A Warning From History

      You're forgetting the decades of "Open source is better (quality) because so many eyes are looking at it!" mantra here.

      6,000 bugs last year alone, eh?

      1. Maventi

        Re: A Warning From History

        To be fair the mantra has never been that open source means fewer bugs, it is that bugs are shallower. That is, if a bug is discovered then the ability to have so many eyes cast over it means that a fix will quickly become obvious to someone. See Linus's law.

  4. Anonymous Coward
    Anonymous Coward

    A necessary step

    Removing potential security bugs from software used in a large part of the modern Internet is essential.

    I am surprised that even with a bounty in place, the numbers are still low.

    How much commercial software would stand up to wide inspection?

    1. Anonymous Coward
      Anonymous Coward

      Re: A necessary step

      When the numbers for closed source were worse they were important. Now open source has more vulnerabilities it's clear this number just means we're looking hard. It certainly didn't mean that before the numbers were reversed.

      You twist and turn like a twisty turny thing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021