Products

Problems
we solve

We can help your business

Request a Free Demo / trial

Insights

Insights | Application Security | Open source
3 December, 2022

How Secure Are Open Source Test Tools?

There’s a polarisation of opinion amongst test tool users – it boils down to where you stand on the following question: Open source v paid tools.

In this debate, there’s one area that I don’t think gets enough attention, application security.

Even when it is discussed, I often hear the open-source champions casually proclaim that “Open source tools are not necessarily more prone to hacks than proprietary test tools.” 

Sure, it’s easy to make claims like this. But can it really be true? 

In this blog, I ask. How secure are open source test tools? I highlight 4 areas where open source security should give you cause for concern.

1. Open Source Code Doesn’t Always Have a Security Review

As a test professional, you know that even the best developers have defects in their code. These defects range from easily detected functional issues, though more complex performance issues, to deeply buried security vulnerabilities.

The fact is, it’s hard, if not impossible, to develop flawless code. All software needs to be tested thoroughly prior to release, and this includes security testing. Most developers aren’t experts in writing secure code, it’s way down on their list of priorities. 

2. Open Source Relies Heavily on Third Party Libraries

Open Source software often pulls in third-party libraries that are then used in blind faith. We should give the original developers the benefit of the doubt. I’m sure they initially vetted the libraries that were used and implemented any fixes required during the development.

However, once open source software goes live, it is increasingly difficult to ensure that all libraries are known and patched appropriately.

3. Bad Actors Have Visibility of Open Source Code Too

Open Source proponents like to counter the issues above, by pointing out that their code is widely used and constantly scrutinised by many developers. Their argument is that this increases the likelihood of security flaws being caught and squashed. And that is partially true. At least, they’re likely to fix them eventually. But what happens in the meantime?

Open Source projects have development communities, these are the people who contribute to the development of the solution.

When a potential vulnerability is detected, the members of the development community are notified– By its very nature, this is before the vulnerabilities are fixed.

Unfortunately, not all development community members have the best intentions in mind – some of them could be cybercriminals.

These notifications mean they don’t even have to do any homework. They can immediately pounce on anyone running old versions. In fact, criminals can often access the vulnerabilities even after fixes have been implemented in the source code. After all, not all companies deploy fixes immediately.

4. Open Source Add-Ons Add Additional Security Complications

Even if we disregard the issues associated with the main open source solution – which we absolutely shouldn’t do – there’s still a huge elephant in the room. Most open source users rely on add-ons.

These add-ons are also open source tools and are therefore subject to all of the same issues faced by the software they are adding to.

Conclusion

In my opinion, it is undeniable that open source test tools carry significant security risks.

On the surface, I find it odd that some financial institutions, usually risk-averse, appear happy to use open source tools.

However, when I think about this more deeply, I wonder if those controlling the purse strings know how to assess and understand open source’s risk and true cost.

These are risks can that you can avoid by using the right paid tools.

Tools like the Micro Focus suite get external security validation done. They automatically validate every line of code and release regular and consistent patches. They will, for most, prove cheaper in the long run.

Learn about these tools – Contact us today!

Subscribe to testing times

Stephen Davis
by Stephen Davis

Stephen Davis is the founder of Calleo Software, a OpenText (formerly Micro Focus) Gold Partner. His passion is to help test professionals improve the efficiency and effectiveness of software testing.

To view Stephen's LinkedIn profile and connect 

Stephen Davis LinkedIn profile

3rd December 2022
Time to Ditch Jira

Is it Time to Ditch Jira? (… For Test Management)

Are you sick of Jira test management solutions? You’re not alone. I speak to dozens of businesses monthly across all different sectors. Many have been forced to use Jira for test management. The more positive people I talk to say it is okay at best.

How to Succeed at Software Testing

6 Proven Principles For Software Testing Success

After decades in the software industry, I’ve witnessed firsthand how six fundamental principles consistently drive software testing success regardless of methodology or domain. Whether you work in functional or performance testing, follow Waterfall or Agile, or specialise in manual or automated testing, these guidelines form a checklist for consistent testing success.

Performance Test Tool Innovations

What’s New: 5 Important Performance Test Tool Innovations

OpenText’s performance test tools—formerly the LoadRunner family—are continuously improving. Over the last few years, they’ve been enhanced with new features to help your teams deliver responsive, resilient applications with an excellent user experience.

Test Automation Framework Secret

Test Automation: Do Custom Frameworks Hide a Dirty Secret?

It’s 2025, yet many organisations still develop bespoke test automation harnesses and frameworks, stitching together a modular in-house automation solution.  This is due to various invalid assumptions and short-sighted commercial decisions.

Simple test automation

Simple Test Automation: How to Slash Complexity & Maximise Coverage

Are you using multiple tools to test functionally across web, mobile, desktop, and enterprise applications? Then it’s time to consider a smarter, unified alternative. Relying on several test automation tools introduces various and significant challenges for organisations.

What can testers learn from SpaceX

What Can Testers Learn From SpaceX?

As a test professional, I’ve seen countless projects where defects are treated as disasters rather than learning opportunities. But what if we flipped that mindset? What if software development projects embraced failure as SpaceX does—not as an end, but as the beginning of progress?

video to defect

How to Generate Defect Reports from Videos!

Testers can now convert video recordings into detailed defect reports. This groundbreaking functionality accelerates project timelines with AI-powered speed and accuracy. Not only does this technology provide the holy trinity of speed, quality and cost savings, but it also solves a huge—often unspoken—issue on many projects: the breakdown of dev/test relations at the worst possible time.

Video to Software Tests

A Testing Revolution? How to Turn Videos into Manual and Automated Test Cases

Imagine being able to record a user story and instantly turn it into manual and automated tests—how much time and effort would you save? Whether you’re preparing for SIT, UAT or streamlining regression testing, you can now generate manual and codeless automated test cases directly from video recordings, leveraging cutting-edge AI technology to streamline your testing processes.

Test Automation what's new

What’s New: Exciting Test Automation Tool Updates

As great as OpenText is at software development, it’s not always the best at keeping people informed about changes. So, today, I’m sharing a few recent updates to the OpenText automation tools. These are just a tiny sample of recently implemented changes. They focus on cloud capabilities, AI-powered object detection, codeless testing, and streamlined workflows that make test automation more accessible and efficient than ever.

Software Testing in 2030

Software Testing in 2030: 4 Ways QA Will Change

Over the next five years, software and software testing are set to evolve at a rate we’ve never seen. In fact, it has already started. Over the last few years, everyone remotely involved in tech has witnessed the constant change in the way things are done. This seemingly non-stop innovation has been driven by emerging technologies, shifting development paradigms, and businesses reevaluating their priorities… and is set to accelerate.

Insights

Search

Related Articles

InsightsTrending

To get other software testing insights, like this, direct to you inbox join the Calleo mailing list.

You can, of course, unsubscribe 

at any time!

By signing up you consent to receiving regular emails from Calleo with updates, tips and ideas on software testing along with the occasional promotion for software testing products. You can, of course, unsubscribe at any time. Click here for the privacy policy.

Sign up to receive the latest, Software Testing Insights, news and to join the Calleo mailing list.

You can, of course, unsubscribe at any time!

By signing up you consent to receiving regular emails from Calleo with updates, tips and ideas on software testing along with the occasional promotion for software testing products. You can, of course, unsubscribe at any time. Click here for the privacy policy.