Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Open source web app more prone to hacking?

Tags:

java

security

web-applications

At a recent interview, I was asked:

Open source web app (say built on Struts/Spring) is more prone to hacking since anyone can access the source code and change it. How do you prevent it?

My response was:

The java source code is not directly accessible. It is compiled into class files, which are then bundled in a war file and deployed within a secure container like Weblogic app server. The app server sits behind a corporate firewall and is not directly accessible.

At that time - I did not mention anything about XSS and SQL injection which can affect a COTS-based web app similar to an open source one.

My questions:

a) Is my response to the question correct?

b) What additional points can I add to the answer?

thanks in advance.

EDIT:

While I digest your replies - let me also point out the question was also meant towards frameworks such as Liferay and Apache OFBiz.

like image 226
newtoallthis Avatar asked Aug 23 '10 06:08

newtoallthis

2 Answers

The question is a veiled argument towards Security through obscurity. I suggest you read up the usual arguments for and against and see how that fits:

  • Security through obscurity ( Wikipedia )
  • Hardening Wordpress
  • SSH server security (Putty)

My personal opinion is that obscurity is at best the weakest layer of defence against atack. It might help filter out automated attacks by uninformed attackers, but it does not help much against a determined assault.

like image 73
Robert Munteanu Avatar answered Oct 06 '22 18:10

Robert Munteanu

a) Is my response to the question correct?

The part about the source not being accessible (to change it) because it is compiled and deployed where it cannot be touched is not a good answer. The same applies to non-open-source software. The point that was being made against an open source stack is that the source is accessible to read, which would make it easier to find vulnerabilities that can be exploited against the installed app (compiled or not).

The point about the firewall is good (even though it does not concern the open- or closedness of the software, either).

b) What additional points can I add to the answer?

The main counterargument against security through obscurity (which was the argument being made here) is that with open source software, many more people will be looking at the source in order to find and fix these problems.

since anyone can access the source code and change it.

Are you sure that is what they said? Change it? Not "study it"?

I don't see how anyone can just change the source code for Struts...

like image 21
Thilo Avatar answered Oct 06 '22 18:10

Thilo
Sign in to Comment

Related questions

Mocking a concrete class using EasyMock
Why are Java enums not clonable?
Java out of memory Exception
How do you uninstall the Scala Eclipse plugin?
How do I get Maven 2 to build 2 separate WAR files
I need a cycle which iterates through dates interval
Java, replacement for infinite loops?
Add and remove an icon on a JLabel
I want to use a method which is called only once after deploying to Server [duplicate]
Pop-up window in Java Swing
add objects with different name through for loop
JSF - <h:outputText> making some of words Bold [duplicate]
Architect desperately wants to use SOAP over JMS
How to fill two-dimensional array using java enhanced loop?
Java: How to load a class (and its inner classes) that is already on the class path?
How to tell a method has a varargs argument using reflection?
Best way of printing simple reports in java
How do i make my progress dialog dismiss after webview is loaded?
Can I set the value of a String in Java without using a constructor?
Java: StringUtils.join on an ArrayList returns NoSuchMethodError Exception

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!