Many Commercial Software Projects Contain Older, Vulnerable Open-Source Code
A study of nearly 3,000 commercial software projects found that some 23 percent of them contain open-source components with security flaws.
White Source Software also found that some 98.7 percent of those vulnerable open-source libraries were not the most up-to-date versions. Rami Sass, CEO of White Source, says that’s because there’s typically a disconnect between the open-source community and the developers who adopt their code in their software projects.
“Developers don’t have a good way to keep track and in touch with the work the open-source community members do and the patches and security issues they track,” Sass says. “The chances [are better] that developers hear about [open-source] security vulnerabilities in their projects only if it comes out in the press. Otherwise, they’re not going to go out and look.”
White Source studied open-source library information from various commercial projects as well as an index of known vulnerabilities to gather the data.
Open-source software increasingly is being scrutinized for vulnerabilities, and security experts have been warning enterprises to ensure they are using the most updated versions of open-source libraries. An estimated 80 to 90 percent of custom software uses open-source libraries.
The FS-ISAC (Financial Services Information Sharing and Analysis Center) last month proposed a series of basic security controls for ensuring the security of third-party software used by financial services firms, including policy management for open-source software libraries and components. The goal is to help financial firms ensure their developers are adopting the most current and secure versions of open-source code.
White Source’s Sass says open-source software is typically secure. “Open-source communities are very diligent and go through a lot of trouble fixing and identifying problems. The real issue is the disconnect between that community and its end users,” he says. Many organizations who build their apps with open-source code don’t keep track of updates or patches, for example, he says.
The most common open-source security flaws found in the study were CVE-2011-2730, a configuration flaw in the Spring Framework; CVE-2012-0213, a resource management error in Apache; CVE-2011-2894, a permissions, privileges, and access control flaw in Spring; CVE-2009-2625, a permissions, privileges, and access control flaw in Apache Xerces2; and CVE-2013-0248, a permissions, privileges, and access control flaw in Apache Commons FileUpload.
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.