Widespread use of vulnerable open source components
Help Net Security
Published: March 27, 2012 11:00
Sonatype and Aspect Security collaborated on a study of the real-world use of vulnerable versions of open source libraries.
Used by developers around the world, open source components are downloaded from the Central Repository thousands of times per day to create applications relied on by the Global 2,000 and others to conduct finance, energy, government and military activities.
As the stewards of the Central Repository, the primary source for open source components, Sonatype is in a position to provide data on usage of open source software worldwide. The repository receives four billion requests per year, contains 300,000 components and is used by more than 60,000 development organizations worldwide.
The data was analyzed by experts from Aspect Security, including Jeff Williams, who is responsible for drafting the OWASP Top 10, the widely accepted resource and guideline for application security.
Key findings include:
Modern software relies heavily on open source: More than 80 percent of typical software applications are open source components and frameworks consumed in binary form.
The Global 500 is at risk: Collectively, Global 500 organizations downloaded more than 2.8 million insecure components in one year.
Financial services firms are the most exposed: Global 100 financial services firms alone downloaded more than 567,000 insecure components in one year.
Many popular components have flaws: There were more than 46 million downloads of insecure versions of the 31 most popular open-source security libraries and web frameworks. Google Web Toolkit (GWT) was downloaded 17.7 million times with known vulnerabilities. Other popular vulnerable libraries downloaded included Xerces, Spring MVC, and Struts 1.x.
Users are not update aware: One in three of the most popular components had older, vulnerable versions still being commonly downloaded, even when a newer version, with the security fix, was available.
Community scrutiny drives flaw discovery: Open source security libraries are roughly 20 percent more likely to have reported security vulnerabilities than other types of components. This is, at least in part, indicative of the effectiveness of broad community collaboration and active support.
A single vulnerable component can completely undermine the security of an application, expose vulnerable data assets and jeopardize the integrity of an organization's software portfolio. These findings come at a time when the cost of insecure software applications is high and growing.
In 2011, successful cyber-attack rates grew by 44 percent, with an average time to resolution of 18 days and the average cost of a data breach at $5.5 million per event.
The average enterprise downloads more than 1,000 unique components from the Central Repository each month, with large banks and independent software vendors (ISVs) downloading even more. Because each component includes dependencies on tens or hundreds of other components, a massively complex ecosystem emerges.
The growing reliance on open-source components as core building blocks for application development, coupled with the complexity of the ecosystem, has given rise to a largely misunderstood application security risk where the world's largest enterprises have built mission-critical applications that contain vulnerabilities.
"Our analysis points to critical gaps in the open-source component ecosystem - a lack of visibility and control compounded by the lack of a centralized update notification infrastructure," said Wayne Jackson, CEO of Sonatype. "Every day, mission-critical applications are compromised by malicious exploit, yet as this analysis shows, organizations have no clear view into component usage. Sonatype is working to correct this problem with the delivery of products and information services that offer actionable insight at every stage of the application development process."