Thread

Hi all,

I’ve been thinking about releasing my web shop solution as open source. The shop is made using CI. Now I have been thinking about replacing the shop with solutions like magento or prestashop but I failed to do so. I decided to continue develop it on my own since I really don’t like the direction other open source solutions go. Now I still want to add features and improve the site and I think this is easier as open source. I created a google code page for it but I am reluctant to release it. My main concern is the security issue. A live shop is still running with it and I am afraid (don’t know for what exactly) that something might happen. So maybe someone could give me some pointers on what to do or especially on what not to do.

Kind regards,

Jeroen

Security through obscurity is not security.

There are only two ways for this to play out:

1. You release it open source, someone spots a security hole and tells you about or even submits a patch to fix it. Your real world store is protected from this hole now.

2. You don’t release it, someone figures out the hole on your real world store and exploits it. You lose money, fire and brimstone fall from the heavens and babies are sacrificed.

Releasing it open source doesn’t mean you have to tell people where it’s used in the real world. Your not “unprotecting” yourself by releasing it.

Hi clooner,

Michael is right, getting other folks to look at your work is very helpful sometimes.  There is no substitute for collaborative development, but if you find that you just cannot release the code for some reason, there is an alternative.

If you write code that tests the expected behavior of your system, it may go a long way towards exposing flaws that exist.  The challenge is in coming up with all the tests, an then figuring out how to write them in such a way that they stress your security system thoroughly enough.  This can be done, but it is tough. 

You’ll find some “unit testing” solutions in the wiki that will be of some help in this regard.

Good Luck,

Randy

p.s.  Some times the “obscurity” thing get’s a little over played.

Ok guys… so basically not much security issues to deal with since you will all help me to fix them :D Any other thoughts? The shop is currently in Dutch. Can I release it like this or would you recommend an English release? What about the design. Does anyone really care, or can it just be very plain?

We can’t scour your code for you and tell you where all the security holes are. Someone may be interested, but don’t expect the whole community to look at it line by line and look for holes.

I’ll happily take a look, 20p a line.

I would recommend releasing in English and with a good looking template. Even though the developers know that a template can be fairly easily changed you want to put you best foot forward with everyone. And that means having it look good as well as function well.

As for the security concerns, I would go ahead and release the code and start writing security targeted unit tests.

if you release it in english ill be sure to test it out no problem. i always like to have a codebook of applications i can deploy fast (especially with CI). and i have no problem letting you know of any security concerns/glitches i have

I just put the first really crappy version of it on github.

http://github.com/JeroenSchaftenaar/inscorta/tree/master

The code is two years old
Not documented
Currently it is completely useless but I’ll try to fix this 😊

github was an excellent choice for this - it allows people to fork the code easily, go there own way with it, and you can then pull those changes down into your branch easily.

I love github, especially for open source projects that I just want to release but I really don’t care what happens to them. Git allows you to open maintenance up to the world so much easier than other version control systems do.

2. You don’t release it, someone figures out the hole on your real world store and exploits it. You lose money, fire and brimstone fall from the heavens and babies are sacrificed.

Microsoft explained.

Linux explained, Java explained, PHP explained, MySQL explained, Perl Explained, et. al.

It’s the nature of the bad people that is being explained…not the nature of bad software.  The life cycle of the exploit can be debated until the cows moo over Saturn.

Microsoft’s blunder again yesterday (1/13/09) shows that even a massively collaborative (offshore) development that Microsoft uses will not prevent bad people from finding exploits in software written that is intended to be secure.  Whether Microsoft writes crap software or not is not what is up for debate here…it is doubtful they corporately _intend_ to release software with such gaping security flaws.

Just sayin…

Randy