write a response to this post, (use your ownwords 100 words+)
Securing open source utilities and preventing attackers from exploiting them is a task for professionals. It’s a task with overhead that requires know-how and demands some compromise from users. The problem is, as always, finding the golden path between ease of use, time to market, and security. At the moment, the installation defaults favored by open source utility vendors focus largely on the first and second of these considerations leaving security unattended and unaddressed. In the interest of ease of deployment, many open source projects have no security by default — even if they are, as mentioned above, built for potential secure implementation. There are also some that come to market before they’re actually ripe for production with developers still struggling with basic product functionality and not yet even thinking about security.
For example, almost all open source projects including MongoDB, until recently have an easy default password for the admin interface, and some have no password at all by default. Many don’t use encrypted protocols, and some even contain undocumented backdoors such as a TELNET interface or JMX monitors, to facilitate debugging. Breaches of highly-secured internal databases and data leaks from sensitive air-gapped organizational sources are common occurrences. While some are the result of highly-sophisticated targeted attacks, attackers are not all that choosy. They’ll take whatever data is easiest to access. Malware such as Pony scours each infected machine for passwords, open FTP sessions, SQL/NoSQL databases, SSH tokens, and more. There’s no reason to assume locally-implemented open source utilities with default or no security are safe from even the most rudimentary hacking attempts.
For instance, is minimizing or eliminating the unnecessary storage of data. “Companies also need to think carefully about what data they are collecting and storing. By keeping lots of sensitive information, they place themselves and their customers at considerable – and in some cases unnecessarily greater – risk than if they had deleted the data or never collected it. To take one startling example, security experts say there was absolutely no reason for Target to have stored the four-digit personal identification numbers, or PINs, of their customers’ debit cards.”
Injection flaws result from a classic failure to filter untrusted input. It can happen when you pass unfiltered data to the SQL server (SQL injection), to the browser (XSS – we’ll talk about this later), to the LDAP server (LDAP injection), or anywhere else. The problem here is that the attacker can inject commands to these entities, resulting in loss of data and hijacking clients’ browsers. Anything that your application receives from untrusted sources must be filtered, preferably according to a whitelist. You should almost never use a blacklist, as getting that right is very hard and usually easy to bypass. Antivirus software products typically provide stellar examples of failing blacklists. Pattern matching does not work.
This post questions the very belief in the open source technologies that have became de facto industry wide. In the name of ease of use and no associated incurred costs companies are unintentionally inviting vulnerabilities in their servers. The very prevalence of these open technologies in the industry leaves a grey area in security apparatus that requires minimum effort to compromise. The open source technologies are rife with vulnerabilities such as unintentionally having back doors entries, frequent use of unencrypted protocols to usage of default or no passwords at all.
Even locally implemented security arrangements or the lack thereof ranging from using blacklist rather than white list to filter unknown sources access to servers, lack of filtering of input data resulting in injection flaws in the servers to unchecked storage of data are host of many things that are observed locally that makes the already unsafe security setup all the more insecure.