Two in three commercial apps with open source code have security vulnerabilities
"If you’re using open source, chances are you are likely including vulnerabilities known to the world at large". This is a quote taken from the latest open source security report released by software company Black Duck.
The company analyzed more than 200 applications that are based on, or partially use, open source material, over a six-month period. The results are that 67 percent of them have vulnerabilities, and every application has at least five vulnerable components.
It was found that more than 10 percent have the Heartbleed vulnerability, and almost 10 percent POODLE. LogJam and FREAK were present at almost five percent.
"Vulnerabilities in open source are particularly attractive to attackers. The ubiquity of the affected components, the public disclosure of vulnerabilities (often with sample exploits) and access to the source code make the attacker’s job simpler", the report says. "In addition, without a traditional support model, users are typically unaware of new updates and vulnerabilities".
The report, however, encourages everyone to keep using open source, and not shy away from it because of these vulnerabilities. Visibility into the included components is required, it was said. "This would provide the ability to switch to newer (or at least less vulnerable) versions of the same components".
But perhaps the most disturbing part of the research is how old these vulnerabilities are. On average, they had been disclosed more than five years before the analysis. Organizations didn’t know about them either because they didn’t know the component was present, or because they didn’t check for vulnerability information.
The full report can be found on this link.
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.