Re: Software supply chain attacks?
The problem isn't open source per se, it is that the code gets fixed, published, people can look at it and work out easily where the problems were and quickly exploit them. With closed source, they need to reverse engineer or get lucky. Once the fix is published, with closed source, they have a heads up where to look, which also shortens the exploit time there.
Add in that, as said, a lot of security updates never get centrally reported, as stated in the article, just in the daily check-ins and release notes, which most people only read if they are actualy installing an update, if at all. That means most users never even know there are security patches available.
But a lot of open source is installed and forgotten about, because it is "open source" and not Microsoft / IBM / SAP, it often sits unloved on a server somewhere in the metaphorical corner and doesn't get updated, because it isn't "core" to the company's LoB.
That gives a lot more scope for exploiting open source software, not because it is worse than closed source, but because the information is easily accessible by hackers, down to which lines of code have been modified, and the users often aren't informed in time that there are patches available, unless it is a major issue. The dozens of minor issues that the devs discover themselves and patch quietly in the check-in logs are still available to the hackers, but which user pours over the daily check-in logs of every bit of software they have installed?
Biting the hand that feeds IT
