Open source code is no less secure than proprietary code, but it is not more secure either. Inevitably, there will be vulnerabilities that will need patching.
If you don’t patch, it can cost you, big time. If your applications or networks get breached because you don’t know what open source components you’re using, the parade of potential horrors is by now familiar: stolen IP, theft of customer PII (personally identifiable information), ransomware attacks, loss of reputation, legal liability, punitive fines for noncompliance and more.
And patching open source is not as simple as enabling a version of “auto-update,” which works with commercial software since most vendors automatically “push” patches out to users. Open source patches are made available as well, but users are responsible for keeping track of them and “pulling” them from a repository to install them.
Fail to do that, and you could end up being a version of Equifax. The credit reporting giant discovered on July 29, 2017, that it had been breached, leaking Social Security numbers and other personal data of more than 147 million customers. Why? Because it failed to apply a patch to the popular open source web application framework Apache Struts—a patch that had been available for several months.