New Study Reveals Widespread Use of Vulnerable Open-Source Components by the Global 500
Published: March 26, 2012 09:00
Sonatype, the company transforming software development, and Aspect Security, a pioneer in application security, have collaborated on the industry's first study of the real-world use of vulnerable versions of open-source libraries. Used by developers around the world, open-source components are downloaded from the Central Repository thousands of times per day to create applications relied on by the Global 2,000 and others to conduct finance, energy, government and military activities. While the numbers are staggering, Sonatype and Aspect Security are calling for awareness and process changes by software development teams to avoid security risks.
As the stewards of the Central Repository, the industry's primary source for open-source components, Sonatype is in the unique position to provide never-before-seen data on usage of open-source software worldwide. The Central Repository receives four billion requests per year, contains 300,000 components and is used by more than 60,000 development organizations worldwide. The data was analyzed by experts from Aspect Security, including Jeff Williams, who is responsible for drafting the "Open Web Application Security Project (OWASP) Top 10," the industry's widely accepted resource and guideline for application security.
- Modern software relies heavily on open source: More than 80 percent of typical software applications are open-source components and frameworks consumed in binary form.
- The Global 500 is at risk: Collectively, Global 500 organizations downloaded more than 2.8 million insecure components in one year.
- Financial services firms are the most exposed: Global 100 financial services firms alone downloaded more than 567,000 insecure components in one year.
- Many popular components have flaws: There were more than 46 million downloads of insecure versions of the 31 most popular open-source security libraries and web frameworks. Google Web Toolkit (GWT) was downloaded 17.7 million times with known vulnerabilities. Other popular vulnerable libraries downloaded included Xerces, Spring MVC, and Struts 1.x.
- Users are not update aware: One in three of the most popular components had older, vulnerable versions still being commonly downloaded, even when a newer version, with the security fix, was available.
- Community scrutiny drives flaw discovery: Open-source security libraries are roughly 20 percent more likely to have reported security vulnerabilities than other types of components. This is, at least in part, indicative of the effectiveness of broad community collaboration and active support.
"The data clearly show that organizations consume huge numbers of vulnerable libraries. This is a wake-up call for software development organizations," said Jeff Williams, CEO of Aspect Security. "While the numbers from this report are alarming, the take-away is clear -- open-source software is critical to forward-thinking development organizations, but there must be education and control to accompany its usage."
A single vulnerable component can completely undermine the security of an application, expose vulnerable data assets and jeopardize the integrity of an organization's software portfolio. These findings come at a time when the cost of insecure software applications is high and growing. In 2011, successful cyber-attack rates grew by 44 percent, with an average time to resolution of 18 days and the average cost of a data breach at $5.5 million per event.1
The average enterprise downloads more than 1,000 unique components from the Central Repository each month, with large banks and independent software vendors (ISVs) downloading even more. Because each component includes dependencies on tens or hundreds of other components, a massively complex ecosystem emerges. The growing reliance on open-source components as core building blocks for application development, coupled with the complexity of the ecosystem, has given rise to a largely misunderstood application security risk where the world's largest enterprises have built mission-critical applications that contain vulnerabilities.
"Our analysis points to critical gaps in the open-source component ecosystem -- a lack of visibility and control compounded by the lack of a centralized update notification infrastructure," said Wayne Jackson, CEO of Sonatype. "Every day, mission-critical applications are compromised by malicious exploit, yet as this analysis shows, organizations have no clear view into component usage. Sonatype is working to correct this problem with the delivery of products and information services that offer actionable insight at every stage of the application development process."
Complete results of the study on how widespread the problem of using flawed code is in component-based software development are available in the whitepaper, "The Unfortunate Reality of Insecure Libraries" available for download at https://www.aspectsecurity.com/news/press/the-unfortunate-reality-of-insecure-libraries/.
To access the executive brief, "Addressing Security Concerns in Open-Source Components," visit www.sonatype.com/securitybrief. Follow the conversation on Twitter using the hashtag #OSSsecurity.
1 Symantec and Ponemon Institute, U.S. Cost of a Data Breach, March 2012
Sonatype ensures the integrity of the modern software supply chain. Sonatype's tools and information services improve visibility and control over component-based software development, enabling collaboration while reducing the risks associated with security and licensing and improving overall quality. Sonatype operates the Central Repository, the industry's primary source for open-source components and is a leader in such open-source projects as Nexus, Apache Maven, m2eclipse and Hudson. The company was founded by Jason van Zyl, the creator of Apache Maven, and is privately held with investments from Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com or follow Sonatype on Twitter @SonatypeCM.
About Aspect Security
Founded in 2002, Aspect Security is a consulting firm focused exclusively on application security, ensuring that the software that drives business is protected against hackers. Aspect's engineers analyze, test and validate approximately 5,000,000 lines of critical application code every month. Aspect unearths more than 10,000 vulnerabilities every year across a wide range of technologies and architectures, and the company's practical recommendations dramatically improve clients' security posture. Aspect supports a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors. Aspect Security is a founding member of the Open Web Application Security Project (OWASP) and leads widely adopted projects such the OWASP Top Ten, WebGoat, the Application Security Verification Standard (ASVS), Risk Rating Methodology and Enterprise Security API (ESAPI). For more information, please visit www.aspectsecurity.com.
Apache, Apache Maven and Maven are trademarks of the Apache Software Foundation.
Silver Spring, MD