A software development company has a short timeline in which to deliver a software product. The software development team decides to use open-source software libraries to reduce the development time. What concept should software developers consider when using open-source software libraries?
When using open-source software libraries, software developers should consider that these libraries often contain known vulnerabilities. Adversaries are aware of and regularly exploit these vulnerabilities. The inherent openness of these libraries means they are subjected to public scrutiny, but it also means that vulnerabilities are public knowledge, increasing the potential risk of exploitation. Therefore, developers must stay vigilant, regularly update the libraries, and monitor known vulnerabilities to mitigate security risks.
Option B is incorrect because the common understanding that vulnerabilities in open-source libraries will not be exploited is not true. Option C is incorrect because while unknown vulnerabilities in open-source libraries are possible, it does not mean they should not be used. Option D is incorrect because although many open-source libraries are constantly updated and maintained by a large community of contributors, it does not mean they are free from vulnerabilities
From the CISSP Official Study Guide - "Many of these libraries are available as open source projects, whereas others may be commercially sold or maintained internally by a company. Over the years, the use of shared libraries has resulted in many security issues... To protect against similar vulnerabilities, developers should be aware of the origins of their shared code and keep abreast of any security vulnerabilities that might be discovered in libraries that they use. This doesn't mean that shared libraries are inherently bad. In fact, it's difficult to imagine a world where shared libraries aren't widely used. It simply calls for vigilance and attention from software developers and cybersecurity professionals."
A is correct
A. Open source libraries contain known vulnerabilities, and adversaries regularly exploit those vulnerabilities in the wild. While it is true that open source libraries can be updated regularly, this does not guarantee that vulnerabilities will not exist or that they will not be exploited. In fact, the use of open source libraries can potentially increase the risk of vulnerabilities because they are widely used and known to many people, including adversaries. This means that if a vulnerability is discovered in an open source library, it may be more likely to be exploited compared to a proprietary library that is not widely known. Additionally, it is not uncommon for open source libraries to contain known vulnerabilities, as these libraries are often developed by a community of volunteers who may not have the resources or time to thoroughly test and secure the code. Therefore, it is important for software developers to consider the potential risks of using open source libraries, including the possibility of known vulnerabilities, when making decisions about which libraries to use.
Answer is right e.g log4j
Open source vulnerabilities are basically security risks in open source software. These are weak or vulnerable code that allows attackers to conduct malicious attacks or perform unintended actions that are not authorized. https://www.cypressdatadefense.com/blog/open-source-security-risk/
?!? Guys?! Only d is correct. If vulnerbinities are recogniced, they are fixed. All poeple can look for them. Review is done much more frequently. Unknown vulnerabilities exist in every software. And there is no consense fir nit attacking anything.
Some librairies and projects have a very low community and time commitment(busy devs) to find the bugs, vulnerabilities and to fix them accordingly.
True but also true of closed software which generally has few development resources committed if isn't a popular money maker or has a locked in market. As indicated in the study material for the CISSP, vulnerabilities in open source code are typically found and patched more quickly than closed. A is false because any KNOWN vulnerabilities in open source software are generally patched when discovered.
True but also true of closed software which generally has few development resources committed if isn't a popular money maker or has a locked in market. As indicated in the study material for the CISSP, vulnerabilities in open source code are typically found and patched more quickly than closed. A is false because any KNOWN vulnerabilities in open source software are generally patched when discovered.
So weird how many people think the answer is A. Just because a libary is open-source it doesnt make it automatically have known vulnerabilities. The answer is 100% D. If a library is open then its under public scrutiny far more. Therefore, when a vulnerability is detected, a fix is found quite fast. For example just look at the SSL vulnerability.
I mean you need to think like a CISO or a least an IT security manager. Will you tell the developers that "Please use open source software without concerns as issues will be fast"? How will you explain log4j issue then
That isn't thinking like a CISO unless you mean that CISOs are stuck in an 80's mindset where obscurity provides security. There are issues like log4j in both closed and open systems, they get found and patched more quickly with the more eyes see and review the source.
That isn't thinking like a CISO unless you mean that CISOs are stuck in an 80's mindset where obscurity provides security. There are issues like log4j in both closed and open systems, they get found and patched more quickly with the more eyes see and review the source.
IN my opinion the correct Answer is B "Sometimes it’s noted that a vulnerability that exists but is unknown can’t be exploited, so the system “practically secure.” In theory this is true, but the problem is that once someone finds the vulnerability, the finder may just exploit the vulnerability instead of helping to fix it. Having unknown vulnerabilities doesn’t really make the vulnerabilities go away; it simply means that the vulnerabilities are a time bomb, with no way to know when they’ll be exploited. Fundamentally, the problem of someone exploiting a vulnerability they discover is a problem for both open and closed source systems." https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html https://www.darkreading.com/application-security/flaws-found-in-some-open-source-projects-exploited-more-often
A, developer known the vulnerabilities before use the open source library
A is correct
D. All software has vulnerabilities but an open source solution with equivalent popularity will have fewer UNPATCHED known vulnerabilities and because vulnerabilities are patched more frequently, typically upon discovery.
Can't be D. While some open-source projects are actively maintained, not all are, and the existence of vulnerabilities is common.