Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Open source web app more prone to hacking?

At a recent interview, I was asked:

Open source web app (say built on Struts/Spring) is more prone to hacking since anyone can access the source code and change it. How do you prevent it?

My response was:

The java source code is not directly accessible. It is compiled into class files, which are then bundled in a war file and deployed within a secure container like Weblogic app server. The app server sits behind a corporate firewall and is not directly accessible.

At that time - I did not mention anything about XSS and SQL injection which can affect a COTS-based web app similar to an open source one.

My questions:

a) Is my response to the question correct?

b) What additional points can I add to the answer?

thanks in advance.

EDIT:

While I digest your replies - let me also point out the question was also meant towards frameworks such as Liferay and Apache OFBiz.

like image 226
newtoallthis Avatar asked Aug 23 '10 06:08

newtoallthis


2 Answers

The question is a veiled argument towards Security through obscurity. I suggest you read up the usual arguments for and against and see how that fits:

  • Security through obscurity ( Wikipedia )
  • Hardening Wordpress
  • SSH server security (Putty)

My personal opinion is that obscurity is at best the weakest layer of defence against atack. It might help filter out automated attacks by uninformed attackers, but it does not help much against a determined assault.

like image 73
Robert Munteanu Avatar answered Oct 06 '22 18:10

Robert Munteanu


a) Is my response to the question correct?

The part about the source not being accessible (to change it) because it is compiled and deployed where it cannot be touched is not a good answer. The same applies to non-open-source software. The point that was being made against an open source stack is that the source is accessible to read, which would make it easier to find vulnerabilities that can be exploited against the installed app (compiled or not).

The point about the firewall is good (even though it does not concern the open- or closedness of the software, either).

b) What additional points can I add to the answer?

The main counterargument against security through obscurity (which was the argument being made here) is that with open source software, many more people will be looking at the source in order to find and fix these problems.

since anyone can access the source code and change it.

Are you sure that is what they said? Change it? Not "study it"?

I don't see how anyone can just change the source code for Struts...

like image 21
Thilo Avatar answered Oct 06 '22 18:10

Thilo