Comment: Open Source Assessment Platform Riddled With XSS Flaws

By   ISBuzz Team
Writer , Information Security Buzz | Apr 10, 2020 11:31 am PST

It has been reported that security researchers have uncovered multiple XSS vulnerabilities in TAO, an open source assessment platform. Researchers discovered the ‘medium’ severity vulnerabilities after examining the community edition of TAO, an employee training and assessment tool.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Tim Mackey
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
April 10, 2020 7:33 pm

People select open source solutions for a variety of reasons, but for many the allure of a free tool that’s related to a commercial offering is strong. Within open communities, commercial versions of software are often related to open source versions as either an “open core” or “upstream” model. In an open code paradigm, core code for the commercial version is created following open source paradigms, but “enterprise” features are then attached to that core to create the enterprise offering. The upstream model differs slightly in that functional differences tend to be fewer, but additional testing and support processes are used to define a “qualified release”. Either way, the code for the commercial version is derived from that of its open source roots which typically means that the open source code is just as secure as that of the commercial offering. From the SEC Consult report, it appears that TAO Testing views including security fixes within the value customers obtain from purchase of a commercial license. This is a perfect example of why I recommend that consumers of open source solutions directly engage with the communities that are creating their software – you get to learn the security standards employed by that community. In the case of TAO, the lack of README instructions for how to build the software and how to contribute to the project are indications that TAO Testing is primarily publishing their source code, not creating an open source community. Consumers and users of the TAO Community Edition should reach out to TAO Security to clarify expectations for timely security updates and how they expect open source community engagement to occur.

Last edited 4 years ago by Tim Mackey

Recent Posts

Would love your thoughts, please comment.x