[Ambassadors] SecurityFocus News about OSS
Siddharth Upmanyu
siddharth1105 at yahoo.com
Sun Oct 8 06:36:44 UTC 2006
Hi Guys ...
just stumbled upon this 'securityfocus' news article
i would like to bring it to notice... do you think it talks about uncovered issues and potential bugs?
http://www.securityfocus.com/news/11417
-------------------------------------------------------------------------------------------------------------------------------------------------
Security professionals warned developers on Thursday that they need to
be aware that their open-source repositories can now be easily mined,
allowing attackers to target programs that are likely to be flawed.
While Google could previously be used to look for specific strings, now
the search engine riffles through code that much better.
Google announced on Thursday
that the tool is now available for public use. Google Code Search digs
through open-source code repositories on the Internet, compiling the
large amount of source code available on the Web into an easily
searchable database. The tool allows Web surfers to find code that
matches certain regular expressions, and searches can be limited to
certain file types and licenses.
The security implications of Google's Code Search resemble those raised
by its original Web search engine. Google hacking--the term for using
Google queries to search for vulnerabilities in Web sites--is a popular way to find servers with specific flaws. Worms and viruses have attempted to use the search engine to create lists of potentially vulnerable victims to attack. And, in July, researchers warned that malicious code could easily be found using the search egnine.
"Google recommends developers use generally accepted good coding
practices including understanding the implications of the code they
implement and testing appropriately," the company said in a statement
e-mailed to SecurityFocus.
Code Search could also allow code auditors to warn people of
vulnerabilities in a program much faster. A central argument of
open-source software is that security is enhanced by more people
looking at the available code. In the long term, Google Code Search
could result in a greater number of eyes looking for flaws, Wysopal
said.
More information about the Fedora-ambassadors-list
mailing list