mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-25 23:11:02 +08:00
Merge pull request #27480 from KevinZonda/trans-sec-in-oss
[Translated] Security Issues With Open Source In Today’s World
This commit is contained in:
commit
d7557c2e9d
@ -1,44 +0,0 @@
|
||||
[#]: subject: "Security Issues With Open Source In Today’s World"
|
||||
[#]: via: "https://www.opensourceforu.com/2022/10/security-issues-with-open-source-in-todays-world/"
|
||||
[#]: author: "Laveesh Kocher https://www.opensourceforu.com/author/laveesh-kocher/"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: "KevinZonda"
|
||||
[#]: reviewer: " "
|
||||
[#]: publisher: " "
|
||||
[#]: url: " "
|
||||
|
||||
Security Issues With Open Source In Today’s World
|
||||
======
|
||||
Open source may be the most viable option for most companies today but it comes with its own set of problems too.
|
||||
|
||||
Many people support the use of open source software (OSS). After all, why would we keep trying to build code that addresses issues that have already been resolved by others? Why not share the information and progressively and iteratively enhance the current open source solutions? These egalitarian values, however perhaps fundamental to civilization in general, not to mention software, nonetheless include conflicts that have been a problem for millennia.
|
||||
|
||||
The problem with open source software security is that just because anyone can view the source code doesn’t imply they will. There are extensively used open-source projects that are only being maintained by a limited number of engineers. These engineers are unable to provide their time and effort completely voluntarily since they also need to pay their bills.
|
||||
|
||||
Even for more complex open source projects, this can be a problem. As an illustration, the Linux kernel project consists of more than 30 million lines of code, contains hundreds of flaws that need to be resolved, and has close to 2000 active developers. Each active developer has written more than 15,000 lines of code.
|
||||
|
||||
According to a recent research from the Linux Foundation, an application has an average of 5.1 significant vulnerabilities that are still open, and 41% of enterprises lack confidence in the security of their open source software. And to make matters worse, only 49% of businesses have an open source security policy.
|
||||
|
||||
Even if open source software has a security flaw, that does not guarantee that it will be fixed. The survey revealed that it presently takes 97.8 days on average to repair a vulnerability, leaving businesses using that software vulnerable to assaults for several months. This is the sometimes overlooked aspect of open source software security: just as the good men can look for faults and vulnerabilities in the code to repair them, the bad guys can look for the same bugs to exploit them.
|
||||
|
||||
It is a long shot to rely solely on a volunteer community to find vulnerabilities, report them, and fix them. While you continue to benefit from open source’s broader advantages, paying someone to examine the security of your open source solutions can help close this gap.
|
||||
|
||||
Since OSS updates and patches must be implemented to secure systems, this requirement can bring unique difficulties. Updating your mission-critical software could result in functionality loss and/or unplanned downtime if your solution depends on a certain software version. When a situation is business-critical, it may be more elegant to hire a specialist to backport the patch and maintain a version for longer than the larger community is willing to.
|
||||
|
||||
The open source community frequently uses the phrase “It’s open source, go change it!” and it emphasises a crucial point: It is unreasonable and unsustainable to expect good security levels for nothing while others invest their time, effort, or money in the project.
|
||||
|
||||
Either contribute to open source as it was intended, improve the code and publish it for others, or hire professionals to manage the OSS code and debug it as necessary are options. However, the industry cannot afford to contribute nothing at all.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.opensourceforu.com/2022/10/security-issues-with-open-source-in-todays-world/
|
||||
|
||||
作者:[Laveesh Kocher][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://www.opensourceforu.com/author/laveesh-kocher/
|
||||
[b]: https://github.com/lkxed
|
@ -0,0 +1,44 @@
|
||||
[#]: subject: "Security Issues With Open Source In Today’s World"
|
||||
[#]: via: "https://www.opensourceforu.com/2022/10/security-issues-with-open-source-in-todays-world/"
|
||||
[#]: author: "Laveesh Kocher https://www.opensourceforu.com/author/laveesh-kocher/"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: "KevinZonda"
|
||||
[#]: reviewer: " "
|
||||
[#]: publisher: " "
|
||||
[#]: url: " "
|
||||
|
||||
当今世界的开源安全问题
|
||||
======
|
||||
开放源代码可能是当今大多数公司最可行的选择,但它也伴随着自己的问题。
|
||||
|
||||
许多人支持使用开放源代码软件(OSS)。毕竟,我们为什么要不断地尝试构建代码来解决别人已经解决过的问题?为什么不分享信息并逐步和迭代地增强当前的开源解决方案呢?这些平等主义的价值观,可能通常来说其对整个文明的非常重要,更不用说软件了,但还是包括了几千年来一直存在的冲突。
|
||||
|
||||
开源软件安全的问题在于,任何人都可以查看源代码,但这并不意味着他们会这么做。有一些广泛使用的开源项目仅由数量有限的工程师维护。这些工程师无法完全自愿地提供时间和精力,因为他们也需要支付他们的账单。
|
||||
|
||||
即使对于更复杂的开源项目,这也是一个问题。举个例子,Linux 内核项目由 3000 多万行代码组成,包含数百个需要解决的缺陷,并有近 2000 名活跃的开发者。每个活跃的开发者都写了超过 15000 行的代码。
|
||||
|
||||
根据 Linux 基金会最近的一项研究,一个应用程序平均有 5.1 个重大漏洞仍未解决,41% 的企业对其开源软件的安全性缺乏信心。而更糟糕的是,只有 49% 的企业拥有开源安全策略。
|
||||
|
||||
即使开源软件有安全漏洞,这也不能保证它能被修复。调查显示,目前修复一个漏洞平均需要 97.8 天,使使用该软件的企业在几个月内容易受到攻击。这就是开源软件安全有时被忽视的地方:就像好人可以寻找代码中的错误和漏洞来修复它们一样,坏人也可以寻找同样的漏洞来利用它们。
|
||||
|
||||
仅仅依靠一个志愿者社区来发现漏洞、报告漏洞和修复漏洞是一个漫长的过程。在你继续受益于开源的广泛优势的同时,花钱请人检查你的开源解决方案的安全性可以帮助弥补这个问题。
|
||||
|
||||
由于必须安装开放源码软件的更新和补丁必须以保证系统的安全,这一要求会带来独特的困难。如果你的解决方案依赖于某个软件版本,更新你的关键任务软件可能会导致功能损失和/或计划外的停机。当情况对业务至关重要时,聘请专家来回传补丁并维护一个时间更长的版本可能比让大型社区愿意去做更加优雅。
|
||||
|
||||
开源社区经常使用的一句话是:“这是开源的,去改变它吧!”它强调了一个关键点:当别人在项目中投入时间、精力或金钱的时候,期望白白得到良好的安全水平是不合理的,也是不可持续的。
|
||||
|
||||
要么按原定计划为开放源码做出贡献,改进代码并为他人发布,要么聘请专业人士管理开放源码代码并在必要时进行调试,这些都是选择。然而,这个行业无法承担完全不做贡献。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.opensourceforu.com/2022/10/security-issues-with-open-source-in-todays-world/
|
||||
|
||||
作者:[Laveesh Kocher][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://www.opensourceforu.com/author/laveesh-kocher/
|
||||
[b]: https://github.com/lkxed
|
Loading…
Reference in New Issue
Block a user