Vulnerable open-source code components in business software
Published: March 27, 2012 09:43
A new research study has found that most businesses and independent software vendors that use open-source components in their applications don't know whether those components are safe. The research was conducted by Aspect Security, a firm that evaluates software for vulnerabilities, and Sonatype, which operates the Central Repository, an exchange for open-source components with a library of more than 300,000 components.
Based on the 4 billion requests received by the Central Repository per year, it became quickly evident that modern software relies heavily on open source, with more than 80 percent consisting of open-source components and frameworks. Unfortunately, the study found that there have been 46 million downloads of insecure versions of the 31 most popular open-source security libraries and web frameworks alone. Some of these vulnerable libraries include Google Web Toolkit, Xerces, Spring MVC and Struts 1.x.
The low awareness of security updates becomes evident considering how older, vulnerable components are still being regularly downloaded despite the availability of newer versions that resolve flaws. In fact, the study says that one-third of the most popular components had older, vulnerable versions being commonly downloaded.
Jeff Williams, CEO of Aspect Security, concluded: "While the numbers from this report are alarming, the take-away is clear--open-source software is critical to forward-thinking development organizations, but there must be education and control to accompany its usage."
The whitepaper, titled "The Unfortunate Reality of Insecure Libraries," can be downloaded here (free registration required).