Connect with us

Hi, what are you looking for?


Data Protection

Poor Control Over Open Source Component Use Puts Organizations at Risk: Survey

Many software development firms still fail to ensure that the components they use don’t contain security vulnerabilities, according to a report published on Tuesday by software supply chain management company Sonatype.

Many software development firms still fail to ensure that the components they use don’t contain security vulnerabilities, according to a report published on Tuesday by software supply chain management company Sonatype.

One in ten of the roughly 3,300 software developers, architects and application security pros who took part in the survey admitted that an open source component was, or it was suspected of being, the cause of a breach within the last year. The report shows that the OpenSSL vulnerability known as Heartbleed has heightened concerns over open-source related breaches.

This year, 43% of organizations said they don’t have an open source policy, which is a bit better than the previous year when 57% didn’t have one. Of the organizations that do have such policies in place, only 68% follow them, and 78% have never banned the use of an open source component, library or project, the report said.

Concerningly, 38% of the respondents said their open source policy doesn’t address security vulnerabilities, while 41% noted that they only have to avoid known vulnerabilities. Just two out of ten developers have to demonstrate that they’re not using components with known security holes. The lack of enforcement capability has been cited as the main challenge with their open source policy by 41% of participants.

According to Sonatype, most developers don’t track component vulnerability over time. 40% of survey respondents believe that the development department is responsible for tracking and resolving newly discovered vulnerabilities in “production” applications, and only 18% said it was the responsibility of the application security department. Another 18% reported that the task falls into the responsibilities of IT operations.

When asked about their developers’ interest in application security, only 27% of organizations said this aspect is a “top concern,” as opposed to 40% in last year’s survey, which had around the same number of participants.

“Applications are the #1 attack vector leading to breaches, according to the 2014 Annual Verizon Data Breach Investigations Report. That means that if you are not using secure components, you are not building secure applications,” said Wayne Jackson, CEO of Sonatype.  “Our survey clearly shows that most companies completely ignore the problem, and this creates an extraordinary security risk, as the panic over the Heartbleed bug demonstrated. This isn’t a theoretical threat. It’s real, and some very large businesses have admitted to being attacked.”

Advertisement. Scroll to continue reading.

The complete 2014 State of Open Source Development and Application Security Survey (PDF) is available online.                 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.