A software development company has a short timeline in which to deliver a software product. The software development team decides to use open-source software libraries to reduce the development time. What concept should software developers consider when using open-source software libraries?
Correct Answer: A
The concept that software developers should consider when using open-source software libraries is that open source libraries contain known vulnerabilities, and adversaries regularly exploit those vulnerabilities in the wild. Open source software libraries are collections of reusable code or functions that are publicly available and free to use or modify by anyone. Open source software libraries can reduce the development time of a software product, as they provide ready-made solutions or features that the software developers can integrate into their own code. However, open source software libraries also pose security risks, as they may contain known vulnerabilities that are publicly disclosed and documented, and that adversaries can easily exploit to compromise the software product or the system. Software developers should consider this concept when using open source software libraries, and they should perform due diligence, such as checking the reputation, quality, and security of the open source software libraries, updating them regularly, and testing them for vulnerabilities or compatibility issues. Open source software libraries cannot be used by everyone, and there is no common understanding that the vulnerabilities in these libraries will not be exploited, as this is a false and naive assumption that ignores the reality and the nature of the cyberthreat landscape. Open source software libraries are not constantly updated, making it unlikely that a vulnerability exists for an adversary to exploit, as this is also a false and optimistic assumption that overlooks the fact that some open source software libraries may be outdated, abandoned, or poorly maintained by their developers or communities. Open source software libraries do not contain unknown vulnerabilities, so they should not be used, as this is a false and pessimistic assumption that disregards the benefits and the potential of the open source software libraries, and that implies that proprietary or closed source software libraries are free of vulnerabilities, which is not true.
References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 21: Software Development Security, page 2016.