Over 370 Organizations Report Confirmed or Suspected Open Source Breaches in Past 12 Months According to Sonatype Survey


Survey Finds 75 Percent Put Consumers at Risk with Poor Software Component Control

FULTON, MD (July 22, 2014) – Three out of four organizations that build software applications either have failed to adopt policies to prevent the use of vulnerable software components or have neglected to ban even a single component to enforce existing policies, according to a new survey sponsored by venture capital firm New Enterprise Associates, Inc. (NEA) and software supply chain management company Sonatype. In the survey 3 out of 10 respondents actually admitted they either had or suspect a breach was caused by an open source component within the last 12 months.

The 2014 State of Open Source Development and Application Security Survey questioned more than 3,300 software developers, architects and application security professionals around the world about their use of open source software, policies governing its use, and common application security practices.

The survey provides a clear perspective on the state of application security across many of the world’s leading software development organizations because 90 percent of a typical application is composed of open source components, with more than 13 billion requests served for these free, reusable software building blocks last year. Among the survey highlights:

  • 44% of enterprises have no policies governing open source component use in their application development.
  • 77% of those that have adopted open source component policies have never banned a single component, citing lack of enforcement capability as the #1 challenge with their policy.
  • 79% do not need to prove they are using components free of security vulnerabilities.
  • 63% fail to monitor for changes in vulnerability data for open source software components

As with any software, flaws will be found in open source components. But unlike internally developed software code, organizations bringing open source components into their firms do not have effective governance policies and practices to identify, track or remediate vulnerabilities within those components. This creates a rich target for hackers to exploit the vulnerable applications.

“Applications are the #1 attack vector leading to breaches, according to the 2014 Annual Verizon Data Breach Investigations Report. That means that if you are not using secure components, you are not building secure applications,” said Wayne Jackson, CEO of Sonatype. “Our survey clearly shows that most companies completely ignore the problem, and this creates an extraordinary security risk, as the panic over the Heartbleed bug demonstrated. This isn’t a theoretical threat. It’s real, and some very large businesses have admitted to being attacked.”

In fact, according to a Sonatype analysis, in one year there were more than 46 million requests for insecure versions of the 31 most popular open source security libraries1. And even after critical or severe vulnerabilities were announced and fixed in these popular open source components the vulnerable versions continue to be downloaded on a massive scale: Struts2 web application framework (179,050 downloads), the Bouncy Castle cryptography API (214,484 downloads), the Jetty web application server (5,174,913 downloads) and the HTTP Client implementation for Java (3,749,193 downloads)2.

Sonatype recommends that application developers avoid use of flawed components by using software offering automated governance, monitoring and alerts to identify and proactively fix component vulnerabilities throughout the software development lifecycle.

The 2014 State of Open Source Development and Security Survey was co-sponsored by Contrast Security, Rugged Software and the Trusted Software Alliance. It marked the fourth annual examination of open source software development trends spearheaded by Sonatype to raise awareness and improve development and security practices. Full survey results can be found at www.sonatype.com/2014survey.

About NEA

NEA is a leading venture capital firm focused on helping entrepreneurs build transformational businesses across multiple stages, sectors and geographies. With more than $13 billion in committed capital, the firm invests in information technology and healthcare companies at all stages in a company’s lifecycle, from seed stage through IPO. NEA’s long track record of successful investing includes more than 175 portfolio company IPOs and more than 300 acquisitions. For additional information, visit www.nea.com.

About Sonatype:

Sonatype focuses on the challenge of creating a secure software supply chain. Today, developers rely on millions of third party and open source building blocks — known as components – to build up to 90% of a typical application. These components are downloaded from the internet, without controls, allowing components with known security vulnerabilities and/or licensing risks to be built in to newly developed software. And unlike a manufacturing supply chain, these components are not tracked throughout their lifecycle for update or recall. Sonatype uniquely identifies all components and integrates data about known security, license and quality risks into the tools developers use every day, so risky components can be easily avoided and defects repaired early in the development process. Policy automation, ongoing monitoring and proactive alerts makes it easy to have full visibility and control of components throughout the software supply chain so that applications start secure and remain that way over time. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com

Tony Keller
The Walker Group

1 2012 Executive Brief: Addressing Security Concerns in Open Source Components by Sonatype, Inc. and Aspect Security
2 Sonatype, Inc. analysis of activity in (Maven) Central Repository