Application developers criticized for using vulnerable open-source packages
Published: March 27, 2012 10:32
Application developers and programmers are increasingly utilizing open-source frameworks off the internet that often have serious bugs and even critical security holes in them, completely unaware that newer and fixed versions already exist, according to a new report just released today.
Overall, software packages of the Google Web Toolkit, the Spring Model View Controller, and even Apache's Struts and Xerces have been downloaded millions of times despite the fact that they contain many known vulnerabilities, as evidenced by viewing the Sonatype.org central software repository.
In a joint effort, Sonatype and Aspect Security tallied more than 46 million downloads of out-of-date versions of no less than thirty-one of the most popular open-source libraries, plug-ins, extensions and internet frameworks used today in thousands of various applications, some of them that are deemed mission-critical to some enterprises.
But the news come as no surprise to some observers in the IT industry, since this has been going on for the past 10 to 12 years. However, in the past year, the trend has worsened and now IT system admins and project managers are urged to take corrective action and soon.
One in three of the most popular components were downloaded with security flaws despite the existence of new versions complete with vulnerability patches already applied.
The research found that faulty components are going into most of the world's program code-- about 80 percent of "typical software applications" are open-source components and frameworks compiled into binary form. The 500 biggest companies downloaded more than 2.8 million packages with lots of flaws in just one year, according to the study.
Aspect Security boss Jeff Williams called the data "a wake-up call" for software development organizations and project managers. "While the numbers from this report are staggering, the takeaway is clear - open-source software is critical to forward-thinking development organizations, but there must be education and control to accompany its usage," he said.
In January 2012, code testing specialist Coverity revealed in its annual report that the quality of open-source code was on par with commercial, ie proprietary software.
Analyzing 37 million lines of code from 45 of the most active open-source projects, Coverity found the number of defects per thousand lines of code was about 0.45. Overall, Linux's kernel version 2.6, PHP 5.3 and PostgreSQL 9.1 scored the best.
This is compared to 0.64 in 300 million lines of code from 41 proprietary codebases. And the industry average 'defect density' coefficient is conveniently pegged at 1.0.
Coverity added that those who commit to ensuring software quality by adopting development testing will "reap the benefits of high code quality and continue to see quality improvements over time".