Security Experts:

71 Percent of Applications Use Components With Severe or Critical Security Flaws: Report

Lack of Open Source Component Management and Control is Putting Production Applications At Risk

A significant portion of software is assembled using open source components and frameworks downloaded from public repositories, according to a software development survey.

At least 80 percent of modern software being developed can be traced back to open source components and publicly available frameworks, Sonatype said in its annual Open Source Development Survey released Tuesday. Around 76 percent of respondents in the survey said they have no control over what components get used in software development projects.

Not only do organizations have proper controls or processes in place to govern how these open source objects are used, nearly 65 percent of respondents said they don't maintain an inventory of components that are currently in use in production applications.

Open Source Code Vulnerabilities"Our world runs on software and software runs on open-source components," said Wayne Jackson, CEO of Sonatype.

Sonatype runs a Central Repository containing open source components which organizations can download for use in their development efforts. In 2012, the repository registered eight billion downloads, Sonatype said.

It's bad enough organizations don't have a process in place to validate and approve components before they are included, but they have no visibility in what has already been used. Open source components can act as a potential attack vector if attackers identify a vulnerability they can exploit. Organizations may not be aware that component has that vulnerability and is putting the whole application at risk.

In fact, Sonatype found that 71 percent of production applications contained components which had known security flaws classified as severe or critical.

Nearly 57 percent of survey participants said they did not have any policies in place governing component usage. One of the reasons for not having the policies was because enforcement was a challenge, Sonatype said. The lack of enforcement also has a lot to do with confusion over who owns, or is responsible, for how open source software is used.

"For developers on large teams, 44 percent say they are standardizing on an open-source development infrastructure stack, with 33 percent stating, 'It's not our corporate standard, but tons of people use it,'" Sonatype said.

The Open Source Development Survey collects information from more than 3,500 developers, architects and IT managers using open source software across all industries, company sizes, and geographic regions. The survey findings show that organizations consider open source components as the "building blocks" of modern software, Sonatype said.

However, the lack of internal controls and a failure to address security vulnerabilities during the development lifecycle threatens the integrity of the software supply chain and exposes organizations to massive, unmanaged risk.

"By informing component choice, pinpointing flaws early in the software lifecycle and offering flexible remediation options, enterprises can better protect against malicious exploit, maintain developer productivity and avoid downstream rework costs," Jackson said.

To help secure the development process in a way that is developer-friendly, adopts Agile practices, and effectively addresses ongoing threats, the company launched Sonatype CLM this week.

Sonatype CLM secures the components from software design, development, deployment, and production. The platform delivers component information, controls, and remediation options directly into developer tools so that the development team knows what the risks of using certain components are and how they can work around the issues.

Sonatype CLM is comprised of CLM Server, which provides a central facility for active risk assessment and manages the development environment, CLM for development, which governs the supply chain by authentication and securely delivering components that can be used, and CLM for continuous monitoring, which ensures the security and integrity of the components. The platform is designed to work with any programming language and can integrate with tools such as source code analysis and development editors.

Developers can see a complete component and application bill-of-materials inventory in order to discover and fix at-risk applications.

Sonatype CLM lets developers "go fast, without introducing risk into their applications or stalling the development process," Jackson said.

The full results of the survey are available here in PDF format.

Subscribe to the SecurityWeek Email Briefing
view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.
view counter