Study Finds Widespread use of Vulnerable Open-Source Components by the Global 500
Published: March 30, 2012 07:33
Sonatype, ensuring the integrity of the modern software supply chain, has collaborated with Aspect Security , a provider of application security, to study the real-world use of vulnerable versions of open-source libraries.
Open-source components are downloaded from the Central Repository thousands of times per day to create applications for the Global 2,000 and others for finance, energy, government and military activities.
80 percent of the code in today’s applications comes from libraries and frameworks. The risk of vulnerabilities in these components is widely ignored and underappreciated. In partnership with Sonatype, Aspect researchers analyzed over 113 million downloads by more than 60,000 commercial, government and non-profit organizations.
The study included the 31 most popular Java frameworks and security libraries downloaded from the Central (“Central”) Repository, and discovered that 26 percent of these have known vulnerabilities. Every organization should be concerned with the security of the components that they use and trust to run their business.
The data is analyzed by experts from Aspect Security, including Jeff Williams, who drafted "Open Web Application Security ( News - Alert) Project (OWASP) Top 10," a resource and guideline for application security.
The report concluded that modern software relies on open source. The Global 500 is at risk collectively, though financial services firms are the most exposed. Many popular components have flaws, as users are not aware of updates, and community scrutiny drives flaw discovery where open-source security libraries are roughly 20 percent more likely to have reported security vulnerabilities than other components.
"The data clearly shows that organizations consume huge numbers of vulnerable libraries. This is a wake-up call for software development organizations," stated Jeff Williams, CEO of Aspect Security.
"While the numbers from this report are alarming, the take-away is clear: open-source software is critical to forward-thinking development organizations, but there must be education and control to accompany its usage," added Williams.
The average enterprise downloads more than 1,000 unique components from the Central Repository each month, with large banks and independent software vendors (ISVs) downloading even more. With component including dependencies on tens or hundreds of other components, a complex ecosystem emerges. The growing reliance on open-source components important for application development – with the complexity of the ecosystem – has resulted in largely misunderstood application security risks.
"Every day, mission-critical applications are compromised by malicious exploit, yet as this analysis shows, organizations have no clear view into component usage,” said Wayne Jackson, CEO of Sonatype. “Sonatype is working to correct this problem with the delivery of products and information services that offer actionable insight at every stage of the application development process."