There are hundreds of high-risk vulnerabilities in popular software? Open source security issues cannot be ignored

With the thriving open source community, it's now hard to find a program that doesn't contain any open source components at all. However, the security of open source components has not received enough attention, and some people even think that open source software is safe, but it is not.

Features of open source security:
1. Since the source code is open, all discovered vulnerabilities will be announced immediately, so they are easily exploited by attackers
2. Authors of open source components usually fix and release new versions immediately after discovering problems, while End users of software often do not receive the most timely updates.
3. In the process of software development and acceptance, people often cannot accurately determine which open source components are included in the software and whether there are serious security risks.

The China Open Source Security Alliance (www.cvecn.com) partially solved the problem of locating these open source vulnerabilities. The Alliance provides a free binary executable scanning service on its official website. It can scan various binary files such as exe, jar, apk, ipk, iso, bin, dll, dmg, pkg, etc. It can not only locate open source vulnerabilities and provide CVE numbers and patching schemes, but also analyze the list of open source components used. It is said to use the same analytical techniques used by international law firms and intellectual property customs.

At LinuxWorld 2006, Linux kernel maintainer Cox emphasized that a considerable amount of money is being used to attack open source systems. He warned that many open source projects are far from being secure, and that a lot of money is being used to undermine the security of open source systems. Words often appear in the media: Open source software is safer, more reliable, and has fewer bugs. This is a dangerous view.

CVE is an internationally renowned security vulnerability library and a list of standardized names for known vulnerabilities and security flaws. It is an international organization with the comprehensive participation of business, government and academia. It takes a non-profit organization form , whose mission is to identify, discover and fix security vulnerabilities in software products more quickly and effectively. The two most important and difficult links in risk assessment are the quantification of risks and how to find control measures after finding risk items. CVE gave us very good guidance to carry out technical assessment in risk assessment. Users can refer to the CVE dictionary and the corresponding database to establish their own enterprise risk assessment index system, and all these risk items can quickly find the corresponding repair control measures through the CVE index.