So, you’ve heard of Shellshock, of course. And if you use Unix, you made sure someone installed the right patch for Bash– and you think – OK, I’ve dealt with it, let’s get back to more important things.
Well, there’s more to Shellshock than meets the eye. Here’s why:
1. There are many more security vulnerabilities out there Shellshock, and Heartbleed before it, are two examples of security vulnerabilities in widely used open source components.
Open source components, like any software, have bugs and security vulnerabilities. The great thing is that open source components usually have an entire community of developers and users who report on vulnerabilities and fix them.
All you need to do is to follow announcements (CVEs) and online repositories for updates
2. Bash (or parts of other open source components) may be still part of your software
Open source components that were designed for one purpose can be quite useful in other scenarios. So it is quite probable that one of your developers decided to use an open source component – or part of it – in his software. Whatever this component does, or contains, is now part of your software.
Open source is great. You get the functionality you need, for free, and it saves development time and effort. The other reason for which it is great is the fact that it is used by many, continuously tested and improved – and the results are shared with the community.
All we have to do, as R&D execs, is make sure that we know what’s in our software and what updates were published about the components we use.