May 03, 2006
is every free open source project a good news?
May be, but I have my doubts. Having an open source web application running on your site can become a security nightmare or may eventually cause a high maintenance cost in the long run. Example: you have just installed a really nice web application that is popular and feature rich. The next morning you receive a security alert that an exploit has been found in that application. That happened with me during last couple of weeks with two web applications (cms). Having little or no time to spend for my own site, I wanted a web application that I can install, leave it running, and may be occasionally do upgrades or fixes. But with two incidents in same week for two different web applications made me think twice. That site I wanted to start is closed till I figure out my next move.
May be it is my own perception but I have found that most of the commercial open source web applications are more secure than free ones. Is that your experience as well? Probably it comes down to spending my own time to secure such an application or let others do the job for me and purchase a commercial product.
One approach I am thinking of is taking daily or even hourly offsite backup of the web application and its database, so if it gets hacked due to new exploit being discovered, I do not have to worry about it. But then there is another problem: some exploits can cause server damage as well e.g. remote arbitrary code execution (xss?).
One other problem that I faced is that some applications do not have a straigh-forward process to apply patch/upgrade. Spending 2 hours to go through 10 steps to upgrade the application is not a good idea. This probably happens with applications that were designed at the spur of the moment without proper design. To maintain such an application is no doubt difficult for the developers as well.
Oh, btw, you should signup for daily alerts at secunia.com if you are using any 3rd party application, or join the announcement/development mailing list of the product you are using to stay upto date with any patches/updates released by the vendor/developers.