Security with open source

[aaron_kenny]

Hi Guys,

like allot of designers out there at the moment I use a fleet of different opens source web technologies including CMS, rich text editors, image manipulation tools, forums etc.

My question is, generally have any of you been concerned with potential security issues with any of these technologies.

For example, the other day I came across a mambot for Joomla which would not only serve my clients needs but would also save me loads of time and effort. However knowing that the client (who will have to remain unnamed) is very conscious of online security the thought occured to me, how do I really know that this mambot doesn't have some underlying method of tracking sensitive customer details and the likes.

Now obviously I researched this mambot and discovered that it's perfectly safe and has been certified by Joomla.
However as an open question I'd be interested in hearing your thoughts?

 

[mneylon]

The main problem with ANY cms is that most people seem to install them and then forget to upgrade / patch them

Some OSS software has a good security track record, but other projects definitely don't (wordpress springs to mind!)

As for nefarious plugins etc., while I haven't come across any I don't think it's simply a matter of open vs. closed source. A lot of commercial software "calls home" as well

 

[Forbairt]

The main problem with ANY cms is that most people seem to install them and then forget to upgrade / patch them

In relation to this a problem I find is that unless you've a support agreement with your client and a new patch comes out ... well .. you can't justify patching it for them. It leaves you feeling kinda bad and wondering what happens if XYZ gets exploited.

I tend to come across clients who aren't interested in the support agreements and it leaves me in the same boat I guess do I or don't I go for the open source but as Blacknight said its happens even in commercial software

 

[Arch-Stanton]

I am a great believer in open source technologies and in my experience the open source tends to more secure in some cases than proprietary software.

An example that comes to mind would be RHEL and CentOS, they are exactly the same and RHEL uses the CentOS community to find bugs and enhance the RHEL product.

With regard to Joomla, there are a couple of thousand extensions in their directory and they only certify (with regard to security updates) extensions that are in the core release of the product and not 3rd party extensions.

You could say that any piece of software is exploitable , so it really down to the resources of the developer as to how secure something is over time.

.

 

[nevf]

I put a lot of faith in open source, at least they're always being updated, they're more widely available, and hackers don't aim for them. Their vulnerabilities are often quickly located and reported upon release, and I always google apps, before i use them...

I personally, have little faith in commercial software, except in some cases. I always try to keep costs down, but if I feel that security is bad on open source, i always go for commercial. for example phpbb2, however I feel that phpBB3 is a massive improvement. if phpbb3 wasn't improved, i would either go for smf or vbulletin.