Open Source Risks

It’s really surprising to me than a widely reported recent WordPress plugin hack was mostly brushed off as just another system getting hacked. I really see this as a much bigger issue. While the WordPress team did a good job of detecting and handling the situation, they still forced password resets on everyone using the system. As a developer, it looks like they were not 100% sure they had closed all the loopholes or found all the malicious code.

How did the hack actually happen? The hackers managed to impersonate developers on the project and check in a very few lines of code that created a back door for the hackers to get in through. At some point this was caught by the team reviewing check-ins, but the across-the-board password reset makes me wary. This post makes it seem like the code made it into the repository and was available to some users for a short period of time.

The bigger issue here is that hackers are actively targeting open source projects. This problem is much bigger than the hack itself, and no one is talking about it in the online conversation (that I have found). Large companies already prohibit the use of open source for this very reason, and are being proved right. Enterprise developers are forced into building sub-optimal solutions since they can’t use open source.

In this instance the project team was diligent enough to catch it before it got too far. What about other projects? Are there back doors out there now. I’m certain there are. As a developer, what is the quantifiable risk of using an open source library? We need to address this situation without killing the collaboration and openness of open source.

The large companies are addressing this by getting smaller companies to indemnify the open source project and take on the risk of being sued if a hack gets through. While this is working on some fronts, it certainly doesn’t scale. There are thousands of open source projects, most of which will never see indemnification by a third party.

I don’t have the solution in hand, but it seems to me the conversation needs to get moving.