Vulnerabilities / Threats
5/2/2016
07:02 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Hidden Flaws Of Commercial Applications

Open source components in commercial applications are more plentiful than organizations think -- and they're full of long-standing vulnerabilities.

Organizations developing commercial software often only have a limited window of visibility into the kinds of open source components their developers are leveraging and, as a result their software is full of flaws that put customers at risk, according to a new study out by Black Duck Software today.

The State of Open Source Security in Commercial Applications offers a comprehensive look at the findings from a study that reviewed 200 applications reviewed over six months by the Black Duck Open Source Security Analysis (OSSA) service. It found that its customers were only aware of about 45% of the actual open source components used in their software. And among all the open source components used in commercial applications 67% contained security vulnerabilities.

The study showed that on average, applications contained about 105 open source components. The average number of open source component vulnerabilities in each application equaled a little over 22.

"While many of these companies have internal security programs and deploy security testing tools such as static and dynamic analysis, those tools are not effective at identifying the types of vulnerabilities disclosed every day in popular open source components," the report explained. "More importantly, if a customer is not aware of all of the open source in use, they cannot defend against common attacks against known vulnerabilities in those components."

As the survey explained, open source components have become a lifeblood in modern development across all types of applications these days. Development teams under the gun have learned that it doesn't make economic sense to reinvent the wheel with functionality that can just as easily inserted by utilizing open source components that have been around for years. The problem is that these software parts are often folded into the commercial code base undisclosed and then neglected. In other words, not only are components vulnerable, but these are often old flaws.

According to Black Duck's analysis, the typical vulnerability found among these components was left open for five years -- 1,894 days on average, to be specific.

"This indicates that the organizations didn’t know about the vulnerabilities, either because they didn’t know the component was present, or had not checked public resources for vulnerability information," the report says.

These are not benign flaws, either. Nearly 40% of the flaws were of high severity, with CVSS base scores of 7.0 or higher. And, in fact, a significant number of the applications studied by Black Duck contained components exposed to highly publicized 'named' vulnerabilities. For example, 10% of applications contained components vulnerable to Heartbleed and the same ratio contained components vulnerable to POODLE.

Related Content:

 

 

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AlbertBarkley2
50%
50%
AlbertBarkley2,
User Rank: Apprentice
2/7/2017 | 3:26:17 AM
Re: Open source components
That is true only open source components are things that people need and use after customizing them.
hemang_rindani
50%
50%
hemang_rindani,
User Rank: Apprentice
7/14/2016 | 8:31:53 AM
Open source components

Interesting article. True that the majority of components of open-source web application platform are unknown to the users. This is because this open-source solution comes with tons of files and a bulk of default features, which sometimes stay untouched as they are not relavant to the requirements. This components can / cannot be vulnerable. Also being open source application development service, there are chances of it getting hacked easily. It is thus important to have thorough knowledge of the system that is in use or use a commorcial enterprise web content management service like Sitefinity or Drupal for web application development.

taylorwilson
50%
50%
taylorwilson,
User Rank: Apprentice
7/12/2016 | 7:45:56 AM
Re: cool
i like your site it is really good and informative for everyone keep it up :)
sarahtaylor
50%
50%
sarahtaylor,
User Rank: Apprentice
7/12/2016 | 4:08:47 AM
Re: cool
amazing and good work keep sharing information :)
LarryMorales
50%
50%
LarryMorales,
User Rank: Apprentice
6/13/2016 | 6:13:13 AM
Re: cool
We can see well structured blogs here. I  came across different blogs available here and it is a great experience for me. 
tamarasherwood
50%
50%
tamarasherwood,
User Rank: Apprentice
5/3/2016 | 3:04:48 AM
cool

 

 

 

This is truly a great blog thanks for sharing. Excellent and decent post. I found this much informative, as to what I was exactly searching for. Thanks for such post and please keep it up.

 

 

 

Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.