Is FFmpeg and Open Source Software Secure

The entire content delivery network industry runs on some form of open source software, starting from Akamai, all the way down to the smaller CDN. We can include cloud based media companies such as encoding.com, Brightcove, and Kaltura into the mix. For those companies offering cloud transcoding services, my guess is they are using FFmpeg libraries. In addition, many CDNs are using Nginx, Varnish, Lighttpd, Squid, Apache Traffic Server, or some other caching software in their infrastructure. Open source software is the engine that has fueled the success of many startup companies. Does this mean open source software is secure?

Out of the box, no open source software is secure. No way. Even if the company developing the software says its secure, I still wouldn’t take their word for it. All open source software must be tested for vulnerabilities. Everyone understands that open source software saves developers an incredible amount of time in the development life cycle, not having to write functionality from scratch. However, the recent Heartbleed bug in OpenSSL brings into question the use of open source software and how to secure it in production applications. In regards to security best practices, we have the experts at Contrast Security. They know more about securing software code than anyone else in the business. The most interesting part is the founder of Contrast Security was also the founder of OWASP.

David Wichers from Contrast Security says it best

The cost of including a library has gone way down. Developers aren’t stupid, so they’re naturally going to say, ‘I don’t have to write that code, I’ll just use a library to do it.’ As a result, they risk pulling in potentially insecure code and running it with the full privilege of their application. That risk is huge, especially if there is a vulnerability in the library, because you’ve now exposed everything that your application has access to.