Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/1/2019
10:30 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail

The Truth About Your Software Supply Chain

Open source components help developers innovate faster, but they sometimes come at a high price.
2 of 9

Almost All Software Is Open Source Software

The latest studies put to rest that today's software world is split cleanly between open source software and everything else. The truth is that almost all modern software today comprises at least some open source components.

According to the '2019 Open Source Security and Risk Analysis (OSSRA)' report, released earlier this spring by Synopsys, 99% of applications with at least 1,000 files contain at least some open source components. Meantime, an analysis of 500 modern applications in the Sonatype study shows, on average, that 85% of their code is comprised of open source components.

Image Source: '2019 Open Source Security and Risk Analysis Report,' Synopsys

Almost All Software Is Open Source Software

The latest studies put to rest that today's software world is split cleanly between open source software and everything else. The truth is that almost all modern software today comprises at least some open source components.

According to the "2019 Open Source Security and Risk Analysis (OSSRA)" report, released earlier this spring by Synopsys, 99% of applications with at least 1,000 files contain at least some open source components. Meantime, an analysis of 500 modern applications in the Sonatype study shows, on average, that 85% of their code is comprised of open source components.

Image Source: "2019 Open Source Security and Risk Analysis Report," Synopsys

2 of 9
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13096
PUBLISHED: 2019-07-22
TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user keystore of a valid user via /data/data/com.tronlink.wallet/shared_prefs/<wallet-name>.xml to gain unauthorized access.
CVE-2019-13097
PUBLISHED: 2019-07-22
The application API of Cat Runner Decorate Home version 2.8.0 for Android does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. Attackers can manipulate users' score parameters exchanged between client and server.
CVE-2019-10102
PUBLISHED: 2019-07-22
OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. The impact is: Possible code execution and confirmed Denial of Service. The component is: DcmRLEDecoder::decompress() (file dcrledec.h, line 122). The attack vector is: Many scenarios of DICOM file processing (e.g. DICOM to image conver...
CVE-2019-12326
PUBLISHED: 2019-07-22
Missing file and path validation in the ringtone upload function of the Akuvox R50P VoIP phone 50.0.6.156 allows an attacker to upload a manipulated ringtone file, with an executable payload (shell commands within the file) and trigger code execution.
CVE-2019-13100
PUBLISHED: 2019-07-22
The Send Anywhere application 9.4.18 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user via /data/data/com.estmob.android.sendanywhere/shared_prefs/sendanywhere_device.xml.