Vulnerabilities / Threats
5/2/2016
07:02 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Hidden Flaws Of Commercial Applications

Open source components in commercial applications are more plentiful than organizations think -- and they're full of long-standing vulnerabilities.

Organizations developing commercial software often only have a limited window of visibility into the kinds of open source components their developers are leveraging and, as a result their software is full of flaws that put customers at risk, according to a new study out by Black Duck Software today.

The State of Open Source Security in Commercial Applications offers a comprehensive look at the findings from a study that reviewed 200 applications reviewed over six months by the Black Duck Open Source Security Analysis (OSSA) service. It found that its customers were only aware of about 45% of the actual open source components used in their software. And among all the open source components used in commercial applications 67% contained security vulnerabilities.

The study showed that on average, applications contained about 105 open source components. The average number of open source component vulnerabilities in each application equaled a little over 22.

"While many of these companies have internal security programs and deploy security testing tools such as static and dynamic analysis, those tools are not effective at identifying the types of vulnerabilities disclosed every day in popular open source components," the report explained. "More importantly, if a customer is not aware of all of the open source in use, they cannot defend against common attacks against known vulnerabilities in those components."

As the survey explained, open source components have become a lifeblood in modern development across all types of applications these days. Development teams under the gun have learned that it doesn't make economic sense to reinvent the wheel with functionality that can just as easily inserted by utilizing open source components that have been around for years. The problem is that these software parts are often folded into the commercial code base undisclosed and then neglected. In other words, not only are components vulnerable, but these are often old flaws.

According to Black Duck's analysis, the typical vulnerability found among these components was left open for five years -- 1,894 days on average, to be specific.

"This indicates that the organizations didn’t know about the vulnerabilities, either because they didn’t know the component was present, or had not checked public resources for vulnerability information," the report says.

These are not benign flaws, either. Nearly 40% of the flaws were of high severity, with CVSS base scores of 7.0 or higher. And, in fact, a significant number of the applications studied by Black Duck contained components exposed to highly publicized 'named' vulnerabilities. For example, 10% of applications contained components vulnerable to Heartbleed and the same ratio contained components vulnerable to POODLE.

Related Content:

 

 

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AlbertBarkley2
50%
50%
AlbertBarkley2,
User Rank: Apprentice
2/7/2017 | 3:26:17 AM
Re: Open source components
That is true only open source components are things that people need and use after customizing them.
hemang_rindani
50%
50%
hemang_rindani,
User Rank: Apprentice
7/14/2016 | 8:31:53 AM
Open source components

Interesting article. True that the majority of components of open-source web application platform are unknown to the users. This is because this open-source solution comes with tons of files and a bulk of default features, which sometimes stay untouched as they are not relavant to the requirements. This components can / cannot be vulnerable. Also being open source application development service, there are chances of it getting hacked easily. It is thus important to have thorough knowledge of the system that is in use or use a commorcial enterprise web content management service like Sitefinity or Drupal for web application development.

taylorwilson
50%
50%
taylorwilson,
User Rank: Apprentice
7/12/2016 | 7:45:56 AM
Re: cool
i like your site it is really good and informative for everyone keep it up :)
sarahtaylor
50%
50%
sarahtaylor,
User Rank: Apprentice
7/12/2016 | 4:08:47 AM
Re: cool
amazing and good work keep sharing information :)
LarryMorales
50%
50%
LarryMorales,
User Rank: Apprentice
6/13/2016 | 6:13:13 AM
Re: cool
We can see well structured blogs here. I  came across different blogs available here and it is a great experience for me. 
tamarasherwood
50%
50%
tamarasherwood,
User Rank: Apprentice
5/3/2016 | 3:04:48 AM
cool

 

 

 

This is truly a great blog thanks for sharing. Excellent and decent post. I found this much informative, as to what I was exactly searching for. Thanks for such post and please keep it up.

 

 

 

Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.