Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

71 Percent of Applications Use Components With Severe or Critical Security Flaws: Report

Lack of Open Source Component Management and Control is Putting Production Applications At Risk

A significant portion of software is assembled using open source components and frameworks downloaded from public repositories, according to a software development survey.

Lack of Open Source Component Management and Control is Putting Production Applications At Risk

A significant portion of software is assembled using open source components and frameworks downloaded from public repositories, according to a software development survey.

At least 80 percent of modern software being developed can be traced back to open source components and publicly available frameworks, Sonatype said in its annual Open Source Development Survey released Tuesday. Around 76 percent of respondents in the survey said they have no control over what components get used in software development projects.

Not only do organizations have proper controls or processes in place to govern how these open source objects are used, nearly 65 percent of respondents said they don’t maintain an inventory of components that are currently in use in production applications.

Open Source Code Vulnerabilities“Our world runs on software and software runs on open-source components,” said Wayne Jackson, CEO of Sonatype.

Sonatype runs a Central Repository containing open source components which organizations can download for use in their development efforts. In 2012, the repository registered eight billion downloads, Sonatype said.

It’s bad enough organizations don’t have a process in place to validate and approve components before they are included, but they have no visibility in what has already been used. Open source components can act as a potential attack vector if attackers identify a vulnerability they can exploit. Organizations may not be aware that component has that vulnerability and is putting the whole application at risk.

In fact, Sonatype found that 71 percent of production applications contained components which had known security flaws classified as severe or critical.

Nearly 57 percent of survey participants said they did not have any policies in place governing component usage. One of the reasons for not having the policies was because enforcement was a challenge, Sonatype said. The lack of enforcement also has a lot to do with confusion over who owns, or is responsible, for how open source software is used.

Advertisement. Scroll to continue reading.

“For developers on large teams, 44 percent say they are standardizing on an open-source development infrastructure stack, with 33 percent stating, ‘It’s not our corporate standard, but tons of people use it,’” Sonatype said.

The Open Source Development Survey collects information from more than 3,500 developers, architects and IT managers using open source software across all industries, company sizes, and geographic regions. The survey findings show that organizations consider open source components as the “building blocks” of modern software, Sonatype said.

However, the lack of internal controls and a failure to address security vulnerabilities during the development lifecycle threatens the integrity of the software supply chain and exposes organizations to massive, unmanaged risk.

“By informing component choice, pinpointing flaws early in the software lifecycle and offering flexible remediation options, enterprises can better protect against malicious exploit, maintain developer productivity and avoid downstream rework costs,” Jackson said.

To help secure the development process in a way that is developer-friendly, adopts Agile practices, and effectively addresses ongoing threats, the company launched Sonatype CLM this week.

Sonatype CLM secures the components from software design, development, deployment, and production. The platform delivers component information, controls, and remediation options directly into developer tools so that the development team knows what the risks of using certain components are and how they can work around the issues.

Sonatype CLM is comprised of CLM Server, which provides a central facility for active risk assessment and manages the development environment, CLM for development, which governs the supply chain by authentication and securely delivering components that can be used, and CLM for continuous monitoring, which ensures the security and integrity of the components. The platform is designed to work with any programming language and can integrate with tools such as source code analysis and development editors.

Developers can see a complete component and application bill-of-materials inventory in order to discover and fix at-risk applications.

Sonatype CLM lets developers “go fast, without introducing risk into their applications or stalling the development process,” Jackson said.

The full results of the survey are available here in PDF format.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.