Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/3/2013
03:49 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Many Commercial Software Projects Contain Older, Vulnerable Open-Source Code

More than one-fifth contain older and less secure versions of open-source code, new study finds

A study of nearly 3,000 commercial software projects found that some 23 percent of them contain open-source components with security flaws.

White Source Software also found that some 98.7 percent of those vulnerable open-source libraries were not the most up-to-date versions. Rami Sass, CEO of White Source, says that's because there's typically a disconnect between the open-source community and the developers who adopt their code in their software projects.

"Developers don't have a good way to keep track and in touch with the work the open-source community members do and the patches and security issues they track," Sass says. "The chances [are better] that developers hear about [open-source] security vulnerabilities in their projects only if it comes out in the press. Otherwise, they're not going to go out and look."

White Source studied open-source library information from various commercial projects as well as an index of known vulnerabilities to gather the data.

Open-source software increasingly is being scrutinized for vulnerabilities, and security experts have been warning enterprises to ensure they are using the most updated versions of open-source libraries. An estimated 80 to 90 percent of custom software uses open-source libraries.

The FS-ISAC (Financial Services Information Sharing and Analysis Center) last month proposed a series of basic security controls for ensuring the security of third-party software used by financial services firms, including policy management for open-source software libraries and components. The goal is to help financial firms ensure their developers are adopting the most current and secure versions of open-source code.

White Source's Sass says open-source software is typically secure. "Open-source communities are very diligent and go through a lot of trouble fixing and identifying problems. The real issue is the disconnect between that community and its end users," he says. Many organizations who build their apps with open-source code don't keep track of updates or patches, for example, he says.

The most common open-source security flaws found in the study were CVE-2011-2730, a configuration flaw in the Spring Framework; CVE-2012-0213, a resource management error in Apache; CVE-2011-2894, a permissions, privileges, and access control flaw in Spring; CVE-2009-2625, a permissions, privileges, and access control flaw in Apache Xerces2; and CVE-2013-0248, a permissions, privileges, and access control flaw in Apache Commons FileUpload.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
EfratS034
50%
50%
EfratS034,
User Rank: Apprentice
12/4/2013 | 7:37:04 AM
re: Many Commercial Software Projects Contain Older, Vulnerable Open-Source Code
White Source full report at http://www.whitesourcesoftware...
davidneville
50%
50%
davidneville,
User Rank: Apprentice
1/31/2014 | 6:02:34 PM
re: Many Commercial Software Projects Contain Older, Vulnerable Open-Source Code
Dave Wichers talks about this in his three-part series on Contrast Security's blog: http://www1.contrastsecurity.c...

Key Takeaways:
1. If you are going to use open-source frameworks and libraries, avoid downloading libraries with known vulnerabilities, and update them when new updates/patches for the libraries you are already using are.
2. The earlier in your software development life cycle security flaws are found and eliminated, the cheaper it is for your organization.
3. Contrast doesn't care where the code comes from, or whether you even have access to the source code at all. Contrast will point out exactly where in the code each vulnerability is introduced, regardless of its source or pedigree.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.