Products

Problems
we solve

We can help your business

Request a Free Demo / trial

Insights

Insights | Application Security | Open source
3 December, 2022

How Secure Are Open Source Test Tools?

There’s a polarisation of opinion amongst test tool users – it boils down to where you stand on the following question: Open source v paid tools.

In this debate, there’s one area that I don’t think gets enough attention, application security.

Even when it is discussed, I often hear the open-source champions casually proclaim that “Open source tools are not necessarily more prone to hacks than proprietary test tools.” 

Sure, it’s easy to make claims like this. But can it really be true? 

In this blog, I ask. How secure are open source test tools? I highlight 4 areas where open source security should give you cause for concern.

1. Open Source Code Doesn’t Always Have a Security Review

As a test professional, you know that even the best developers have defects in their code. These defects range from easily detected functional issues, though more complex performance issues, to deeply buried security vulnerabilities.

The fact is, it’s hard, if not impossible, to develop flawless code. All software needs to be tested thoroughly prior to release, and this includes security testing. Most developers aren’t experts in writing secure code, it’s way down on their list of priorities. 

2. Open Source Relies Heavily on Third Party Libraries

Open Source software often pulls in third-party libraries that are then used in blind faith. We should give the original developers the benefit of the doubt. I’m sure they initially vetted the libraries that were used and implemented any fixes required during the development.

However, once open source software goes live, it is increasingly difficult to ensure that all libraries are known and patched appropriately.

3. Bad Actors Have Visibility of Open Source Code Too

Open Source proponents like to counter the issues above, by pointing out that their code is widely used and constantly scrutinised by many developers. Their argument is that this increases the likelihood of security flaws being caught and squashed. And that is partially true. At least, they’re likely to fix them eventually. But what happens in the meantime?

Open Source projects have development communities, these are the people who contribute to the development of the solution.

When a potential vulnerability is detected, the members of the development community are notified– By its very nature, this is before the vulnerabilities are fixed.

Unfortunately, not all development community members have the best intentions in mind – some of them could be cybercriminals.

These notifications mean they don’t even have to do any homework. They can immediately pounce on anyone running old versions. In fact, criminals can often access the vulnerabilities even after fixes have been implemented in the source code. After all, not all companies deploy fixes immediately.

4. Open Source Add-Ons Add Additional Security Complications

Even if we disregard the issues associated with the main open source solution – which we absolutely shouldn’t do – there’s still a huge elephant in the room. Most open source users rely on add-ons.

These add-ons are also open source tools and are therefore subject to all of the same issues faced by the software they are adding to.

Conclusion

In my opinion, it is undeniable that open source test tools carry significant security risks.

On the surface, I find it odd that some financial institutions, usually risk-averse, appear happy to use open source tools.

However, when I think about this more deeply, I wonder if those controlling the purse strings know how to assess and understand open source’s risk and true cost.

These are risks can that you can avoid by using the right paid tools.

Tools like the Micro Focus suite get external security validation done. They automatically validate every line of code and release regular and consistent patches. They will, for most, prove cheaper in the long run.

Learn about these tools – Contact us today!

Subscribe to testing times

Stephen Davis
by Stephen Davis

Stephen Davis is the founder of Calleo Software, a OpenText (formerly Micro Focus) Gold Partner. His passion is to help test professionals improve the efficiency and effectiveness of software testing.

To view Stephen's LinkedIn profile and connect 

Stephen Davis LinkedIn profile

3rd December 2022
How to think like a top tester

How to Think Like a Top Tester: The 3 Essential Skills That Nobody Teaches

To become a top tester, you need three critical skills often overlooked in traditional training. These skills are simple to understand and easy to adopt, but they have made a huge difference in my career and will help take yours to the next level. They also have nothing to do with software testing.

4 Lessons We Can Learn

How NASA Does Software Testing: 4 Lessons We Can Learn

As a software tester, I’ve always wondered how organisations like NASA test their critical systems. After all, their systems are unique and complex, and the stakes are almost incomprehensibly high—a single software bug can result in catastrophic failure and loss of life.

Help needed to hit 10000 subscribers

Please Help Us Hit 10,000 Subscribers

Hello, fellow software testing enthusiasts! I’m excited to share something I’m passionate about and have been working on diligently for the last two years—Testing Times, a LinkedIn newsletter dedicated to exploring the latest trends, insights, and innovations in software testing.

three-students-holding-diplomas

Are Universities Failing To Prepare Computing Students?

Universities play a crucial role in developing the next generation of computing professionals. However, by adopting a short-sighted approach to test tools, academic institutions are missing a crucial aspect from their computing and information systems degree courses.

the next generation of test tools

The Evolution of Test Tools: Passing the Baton

Test tools have long been essential to software quality and testing efficiency, but over the years, they have transformed significantly, becoming more powerful, cost-effective, and reliable than ever before. One test tool suite has been at the forefront of this evolution, tracing its lineage back to the 1990s.

Service Virtualization

Seriously, Why Aren’t You Using Service Virtualization?

Service Virtualization (SV) remains one of the most criminally underused tools in software testing. It’s astonishing to me just how many organisations still ignore its benefits – test earlier and save money. If you’re not using SV, you are missing out—plain and simple.

UFT Digital Lab

UFT Digital Lab 24.2: What’s New?

If you need to test multiple devices, OS versions, or browser types, you need UFT Digital Lab from OpenText (previously known as Mobile Center and UFT Mobile). It has a comprehensive suite of features specifically designed for mobile, tablet and web testing across myriad platforms.

TruClient performance testing

TruClient: Quick, Easy & Powerful Performance Testing

TruClient significantly speeds up the script creation process and allows you to capture true end-to-end application performance, including protocol level and front-end performance, e.g. how long screens or pages load.

ALM QC 241

What’s New in ALM/QC 24.1: Release Highlights

If you’re involved with waterfall projects, you may well be familiar with the test management tool ALM/Quality Center (ALM/QC), but you might be surprised at its capabilities. The latest release, Version 24.1, is a modern test management powerhouse.

Insights

Search

Related Articles

To get other software testing insights, like this, direct to you inbox join the Calleo mailing list.

You can, of course, unsubscribe 

at any time!

By signing up you consent to receiving regular emails from Calleo with updates, tips and ideas on software testing along with the occasional promotion for software testing products. You can, of course, unsubscribe at any time. Click here for the privacy policy.

Sign up to receive the latest, Software Testing Insights, news and to join the Calleo mailing list.

You can, of course, unsubscribe at any time!

By signing up you consent to receiving regular emails from Calleo with updates, tips and ideas on software testing along with the occasional promotion for software testing products. You can, of course, unsubscribe at any time. Click here for the privacy policy.