News Source Zd Net

Only 20% of corporate OSS users manage components

Only about 20 percent of companies using open source components have lock down controls and fewer than 50 percent have corporate policies in place to manage component usage, according to a study of 2500 developers released by component repository vendor Sonatype more
News Source Formtek

Open Source: The Good, Bad and Ugly — Studies in Two Extremes

When top-class Open Source tools and applications (think software like Linux, Apache Web Server, PostgresSQL and PHP) went head to head against similar proprietary software, a recent survey found that Open Source bested or equaled the quality of their proprietary cousins. The Open Source community hailed these findings from Gartner and Coverity. more
News Source Infosecurity Magazine

Study finds widespread use of vulnerable open source components

The study, the 'Unfortunate Reality of Insecure Libraries', found that many organizations use open source components as the building blocks for their applications but have zero visibility into whether the components they are using are secure, thereby exposing the organization to security risks. more
News Source Australian Techworld

Do insecure open source components threaten your apps?

Since Apache Maven, the brainchild of Sonatype founder Jason van Zyl, emerged as a top-level Apache Software Foundation project in 2003, the Central Repository has become a primary source of open source components. Jackson says the Central Repository receives four billion requests per year for its 300,000 components. more
News Source Cso

Do Insecure Open Source Components Threaten Your Apps?

Since Apache Maven, the brainchild of Sonatype founder Jason van Zyl, emerged as a top-level Apache Software Foundation project in 2003, the Central Repository has become a primary source of open source components. Jackson says the Central Repository receives four billion requests per year for its 300,000 components. more
News Source Proformative

Report: Half Global 500 Vulnerable to Open Source Security Loopholes

Aspect Security and Sonatype have recently collaborated to provide the industry's first study of potential vulnerabilities in open-source computing tools. These flexible components are used by members of the Global 2,000 and other leading organizations thousands of times each day in their operations, and the implications of security frailties could be significant. more
News Source Tech Security Today

The Inherently Insecure Nature of Open Source Projects

A huge percentage of the applications being built these days rely on previously existing components that developers stitch together to make a new application. In fact, the vast majority of these components are open source projects that developers assume to be secure given the peer review process that most open source projects are based on. more
News Source Linux Today

Sonatype not out to slam open source

"Yeah, thought so. "Which is pretty much what was going through my head when I read Monday's wire reports that software-development firm Sonatype and application security specialists Aspect Security has released a study with a press release that highlighted "[m]ore than 80 percent of typical software applications are open-source components and frameworks consumed in binary form." more
News Source Network World

Are Open Source Libraries Any More Vulnerable Than Closed Source?

My friend and Network World editor, Ellen Messmer posted an article yesterday about the results of an analysis by Aspect Security of the Central Repository maintained by Sonatype. The study was announced by Aspect and Sonatype yesterday. Both the study and Ellen's article have set off a bit of a firestorm in both the open source and security communities about the security or lack thereof of open source libraries and components. more

Sonatype Eyes "Staggering" Use Of Vulnerable Open Source Components

Attempting to analyze real-world usage of vulnerable versions of open-source libraries, software vendors Sonatype and Aspect Security claim to have found "staggering" use of susceptible components that have been downloaded from central repositories in order to conduct finance, energy, government, and military activities. more
News Source Infoworld

Study: Open source libraries propagate security flaws

Although companies such as Microsoft, Adobe, and Mozilla have raised awareness of secure programming practices in recent years, getting developers to adopt best practices to weed out vulnerabilities in program code remains a challenge. A case in point: Developers often overlook the necessity of keeping the source components of their software up-to-date, a problem exacerbated by poor update mechanisms, according to a study released on Monday. more
News Source Fierce Cio

Vulnerable open-source code components in business software

A new research study has found that most businesses and independent software vendors that use open-source components in their applications don't know whether those components are safe. The research was conducted by Aspect Security, a firm that evaluates software for vulnerabilities, and Sonatype, which operates the Central Repository, an exchange for open-source components with a library of more than 300,000 components. more
News Source Jaxenter

Banks and ISVs hit hard by open source vulnerabilities

Financial institutions and independent software vendors (ISVs) are being hit disproportionately hard by security holes in open source software components, according to a new study by Sonatype and Aspect Security. The companies followed out-of-date, compromised packages in the Maven Central Repository over the course of a year, watching the ‘Global 500’ group clock up a collective 2.8 million downloads. The ‘Global 100’ group of banks and other financial institutions downloaded 567,000 insecure components over the same period. more
News Source Infoworld

Open source code libraries suffer from vulnerabilities

A study of how 31 popular open source code libraries were downloaded over the past 12 months found that more than a third of the 1,261 versions of these libraries had a known vulnerability and about a quarter of the downloads were tainted. more

Awards

Codie INC 500 Red Herring SD Times NVTC RSA Gartner