Vulnerabilities / Threats

5/2/2016
07:02 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Hidden Flaws Of Commercial Applications

Open source components in commercial applications are more plentiful than organizations think -- and they're full of long-standing vulnerabilities.

Organizations developing commercial software often only have a limited window of visibility into the kinds of open source components their developers are leveraging and, as a result their software is full of flaws that put customers at risk, according to a new study out by Black Duck Software today.

The State of Open Source Security in Commercial Applications offers a comprehensive look at the findings from a study that reviewed 200 applications reviewed over six months by the Black Duck Open Source Security Analysis (OSSA) service. It found that its customers were only aware of about 45% of the actual open source components used in their software. And among all the open source components used in commercial applications 67% contained security vulnerabilities.

The study showed that on average, applications contained about 105 open source components. The average number of open source component vulnerabilities in each application equaled a little over 22.

"While many of these companies have internal security programs and deploy security testing tools such as static and dynamic analysis, those tools are not effective at identifying the types of vulnerabilities disclosed every day in popular open source components," the report explained. "More importantly, if a customer is not aware of all of the open source in use, they cannot defend against common attacks against known vulnerabilities in those components."

As the survey explained, open source components have become a lifeblood in modern development across all types of applications these days. Development teams under the gun have learned that it doesn't make economic sense to reinvent the wheel with functionality that can just as easily inserted by utilizing open source components that have been around for years. The problem is that these software parts are often folded into the commercial code base undisclosed and then neglected. In other words, not only are components vulnerable, but these are often old flaws.

According to Black Duck's analysis, the typical vulnerability found among these components was left open for five years -- 1,894 days on average, to be specific.

"This indicates that the organizations didn’t know about the vulnerabilities, either because they didn’t know the component was present, or had not checked public resources for vulnerability information," the report says.

These are not benign flaws, either. Nearly 40% of the flaws were of high severity, with CVSS base scores of 7.0 or higher. And, in fact, a significant number of the applications studied by Black Duck contained components exposed to highly publicized 'named' vulnerabilities. For example, 10% of applications contained components vulnerable to Heartbleed and the same ratio contained components vulnerable to POODLE.

Related Content:

 

 

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AlbertBarkley2
50%
50%
AlbertBarkley2,
User Rank: Apprentice
2/7/2017 | 3:26:17 AM
Re: Open source components
That is true only open source components are things that people need and use after customizing them.
hemang_rindani
50%
50%
hemang_rindani,
User Rank: Apprentice
7/14/2016 | 8:31:53 AM
Open source components

Interesting article. True that the majority of components of open-source web application platform are unknown to the users. This is because this open-source solution comes with tons of files and a bulk of default features, which sometimes stay untouched as they are not relavant to the requirements. This components can / cannot be vulnerable. Also being open source application development service, there are chances of it getting hacked easily. It is thus important to have thorough knowledge of the system that is in use or use a commorcial enterprise web content management service like Sitefinity or Drupal for web application development.

taylorwilson
50%
50%
taylorwilson,
User Rank: Apprentice
7/12/2016 | 7:45:56 AM
Re: cool
i like your site it is really good and informative for everyone keep it up :)
sarahtaylor
50%
50%
sarahtaylor,
User Rank: Apprentice
7/12/2016 | 4:08:47 AM
Re: cool
amazing and good work keep sharing information :)
LarryMorales
50%
50%
LarryMorales,
User Rank: Apprentice
6/13/2016 | 6:13:13 AM
Re: cool
We can see well structured blogs here. I  came across different blogs available here and it is a great experience for me. 
tamarasherwood
50%
50%
tamarasherwood,
User Rank: Apprentice
5/3/2016 | 3:04:48 AM
cool

 

 

 

This is truly a great blog thanks for sharing. Excellent and decent post. I found this much informative, as to what I was exactly searching for. Thanks for such post and please keep it up.

 

 

 

Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.