Open Source Apps Not So Secure

Wednesday, March 28, 2012 @ 03:03 PM gHale

More than half of the world’s largest corporations have open source applications with security vulnerabilities, a new study reported.

That’s because more than 80 percent of software applications built in-house by enterprise developers incorporate open source components and frameworks that may be vulnerable.

ISPs Focus on New Security Tactics
Data Breaches Focus on Money: Study
Agile Hackers will Break Security
Execs Unaware of Security Risks

Those are just some of the points from a joint research report issued by Silver Spring, MD-based Sonatype and Aspect Security.

The report — based on a survey of 2,550 developers, architects and analysts — said the widely held view that open source software is consistenly high quality “overlooks ecosystem flaws.” One of which is the lack of a notification system alerting developers about vulnerabilities and new versions with fixes.

“Eighty percent of the code in today’s applications comes from libraries and frameworks. The risk of vulnerabilities in these components is widely ignored and underappreciated,” said Jeff Williams, chief executive of Aspect Security, a Columbia, MD-based application security consulting firm.

There have been 46 million downloads of insecure versions of the most popular open source libraries and frameworks, including Google Web Toolkit, Spring MVC, Struts 1.X. and Hibernate, the report said.

The report found Struts 2 –downloaded more than one million times by 18,000 corporations — contained a critical vulnerability.

The survey also said 37 percent of all versions of 31 top components tested contained a CVE or OSVDB vulnerability, and popular components are only 10 percent less likely to have vulnerabilities than less popular ones, the study found.

The report also said only 32 percent of organizations “maintain an inventory of the dependencies in their production applications, complicating issue resolution when a new vulnerability is discovered.”

“With more than 80 percent of typical software applications using open-source components and frameworks consumed in binary form, the results of this research are a wake-up call to nearly every organization developing software to run business-critical functions,” according Aspect Security, a founding member of the Open Web Application Security Project.

The end result is enterprises need to maintain and strictly manage inventories of software components.

While you must register, you can click here for a copy of the study.

Leave a Reply

You must be logged in to post a comment.