Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/2/2016
07:02 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Hidden Flaws Of Commercial Applications

Open source components in commercial applications are more plentiful than organizations think -- and they're full of long-standing vulnerabilities.

Organizations developing commercial software often only have a limited window of visibility into the kinds of open source components their developers are leveraging and, as a result their software is full of flaws that put customers at risk, according to a new study out by Black Duck Software today.

The State of Open Source Security in Commercial Applications offers a comprehensive look at the findings from a study that reviewed 200 applications reviewed over six months by the Black Duck Open Source Security Analysis (OSSA) service. It found that its customers were only aware of about 45% of the actual open source components used in their software. And among all the open source components used in commercial applications 67% contained security vulnerabilities.

The study showed that on average, applications contained about 105 open source components. The average number of open source component vulnerabilities in each application equaled a little over 22.

"While many of these companies have internal security programs and deploy security testing tools such as static and dynamic analysis, those tools are not effective at identifying the types of vulnerabilities disclosed every day in popular open source components," the report explained. "More importantly, if a customer is not aware of all of the open source in use, they cannot defend against common attacks against known vulnerabilities in those components."

As the survey explained, open source components have become a lifeblood in modern development across all types of applications these days. Development teams under the gun have learned that it doesn't make economic sense to reinvent the wheel with functionality that can just as easily inserted by utilizing open source components that have been around for years. The problem is that these software parts are often folded into the commercial code base undisclosed and then neglected. In other words, not only are components vulnerable, but these are often old flaws.

According to Black Duck's analysis, the typical vulnerability found among these components was left open for five years -- 1,894 days on average, to be specific.

"This indicates that the organizations didn’t know about the vulnerabilities, either because they didn’t know the component was present, or had not checked public resources for vulnerability information," the report says.

These are not benign flaws, either. Nearly 40% of the flaws were of high severity, with CVSS base scores of 7.0 or higher. And, in fact, a significant number of the applications studied by Black Duck contained components exposed to highly publicized 'named' vulnerabilities. For example, 10% of applications contained components vulnerable to Heartbleed and the same ratio contained components vulnerable to POODLE.

Related Content:

 

 

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jennifer Crawford
50%
50%
Jennifer Crawford,
User Rank: Apprentice
9/8/2017 | 8:49:55 AM
Re: cool
Wow good one!
wordsdoctorate
50%
50%
wordsdoctorate,
User Rank: Apprentice
9/7/2017 | 1:59:47 AM
Re: Open source components
I read this article. I think You put a lot of effort to create this article. I appreciate your work.

 
AlbertBarkley2
50%
50%
AlbertBarkley2,
User Rank: Apprentice
2/7/2017 | 3:26:17 AM
Re: Open source components
That is true only open source components are things that people need and use after customizing them.
hnrindani
50%
50%
hnrindani,
User Rank: Apprentice
7/14/2016 | 8:31:53 AM
Open source components

Interesting article. True that the majority of components of open-source web application platform are unknown to the users. This is because this open-source solution comes with tons of files and a bulk of default features, which sometimes stay untouched as they are not relavant to the requirements. This components can / cannot be vulnerable. Also being open source application development service, there are chances of it getting hacked easily. It is thus important to have thorough knowledge of the system that is in use or use a commorcial enterprise web content management service like Sitefinity or Drupal for web application development.

taylorwilson
50%
50%
taylorwilson,
User Rank: Apprentice
7/12/2016 | 7:45:56 AM
Re: cool
i like your site it is really good and informative for everyone keep it up :)
sarahtaylor
50%
50%
sarahtaylor,
User Rank: Apprentice
7/12/2016 | 4:08:47 AM
Re: cool
amazing and good work keep sharing information :)
LarryMorales
50%
50%
LarryMorales,
User Rank: Apprentice
6/13/2016 | 6:13:13 AM
Re: cool
We can see well structured blogs here. I  came across different blogs available here and it is a great experience for me. 
tamarasherwood
50%
50%
tamarasherwood,
User Rank: Apprentice
5/3/2016 | 3:04:48 AM
cool

 

 

 

This is truly a great blog thanks for sharing. Excellent and decent post. I found this much informative, as to what I was exactly searching for. Thanks for such post and please keep it up.

 

 

 

Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.