Vulnerabilities / Threats

5/2/2016
07:02 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Hidden Flaws Of Commercial Applications

Open source components in commercial applications are more plentiful than organizations think -- and they're full of long-standing vulnerabilities.

Organizations developing commercial software often only have a limited window of visibility into the kinds of open source components their developers are leveraging and, as a result their software is full of flaws that put customers at risk, according to a new study out by Black Duck Software today.

The State of Open Source Security in Commercial Applications offers a comprehensive look at the findings from a study that reviewed 200 applications reviewed over six months by the Black Duck Open Source Security Analysis (OSSA) service. It found that its customers were only aware of about 45% of the actual open source components used in their software. And among all the open source components used in commercial applications 67% contained security vulnerabilities.

The study showed that on average, applications contained about 105 open source components. The average number of open source component vulnerabilities in each application equaled a little over 22.

"While many of these companies have internal security programs and deploy security testing tools such as static and dynamic analysis, those tools are not effective at identifying the types of vulnerabilities disclosed every day in popular open source components," the report explained. "More importantly, if a customer is not aware of all of the open source in use, they cannot defend against common attacks against known vulnerabilities in those components."

As the survey explained, open source components have become a lifeblood in modern development across all types of applications these days. Development teams under the gun have learned that it doesn't make economic sense to reinvent the wheel with functionality that can just as easily inserted by utilizing open source components that have been around for years. The problem is that these software parts are often folded into the commercial code base undisclosed and then neglected. In other words, not only are components vulnerable, but these are often old flaws.

According to Black Duck's analysis, the typical vulnerability found among these components was left open for five years -- 1,894 days on average, to be specific.

"This indicates that the organizations didn’t know about the vulnerabilities, either because they didn’t know the component was present, or had not checked public resources for vulnerability information," the report says.

These are not benign flaws, either. Nearly 40% of the flaws were of high severity, with CVSS base scores of 7.0 or higher. And, in fact, a significant number of the applications studied by Black Duck contained components exposed to highly publicized 'named' vulnerabilities. For example, 10% of applications contained components vulnerable to Heartbleed and the same ratio contained components vulnerable to POODLE.

Related Content:

 

 

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jennifer Crawford
50%
50%
Jennifer Crawford,
User Rank: Apprentice
9/8/2017 | 8:49:55 AM
Re: cool
Wow good one!
wordsdoctorate
50%
50%
wordsdoctorate,
User Rank: Apprentice
9/7/2017 | 1:59:47 AM
Re: Open source components
I read this article. I think You put a lot of effort to create this article. I appreciate your work.

 
AlbertBarkley2
50%
50%
AlbertBarkley2,
User Rank: Apprentice
2/7/2017 | 3:26:17 AM
Re: Open source components
That is true only open source components are things that people need and use after customizing them.
hnrindani
50%
50%
hnrindani,
User Rank: Apprentice
7/14/2016 | 8:31:53 AM
Open source components

Interesting article. True that the majority of components of open-source web application platform are unknown to the users. This is because this open-source solution comes with tons of files and a bulk of default features, which sometimes stay untouched as they are not relavant to the requirements. This components can / cannot be vulnerable. Also being open source application development service, there are chances of it getting hacked easily. It is thus important to have thorough knowledge of the system that is in use or use a commorcial enterprise web content management service like Sitefinity or Drupal for web application development.

taylorwilson
50%
50%
taylorwilson,
User Rank: Apprentice
7/12/2016 | 7:45:56 AM
Re: cool
i like your site it is really good and informative for everyone keep it up :)
sarahtaylor
50%
50%
sarahtaylor,
User Rank: Apprentice
7/12/2016 | 4:08:47 AM
Re: cool
amazing and good work keep sharing information :)
LarryMorales
50%
50%
LarryMorales,
User Rank: Apprentice
6/13/2016 | 6:13:13 AM
Re: cool
We can see well structured blogs here. I  came across different blogs available here and it is a great experience for me. 
tamarasherwood
50%
50%
tamarasherwood,
User Rank: Apprentice
5/3/2016 | 3:04:48 AM
cool

 

 

 

This is truly a great blog thanks for sharing. Excellent and decent post. I found this much informative, as to what I was exactly searching for. Thanks for such post and please keep it up.

 

 

 

Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2765
PUBLISHED: 2018-08-20
pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.
CVE-2018-15594
PUBLISHED: 2018-08-20
arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests.
CVE-2018-15572
PUBLISHED: 2018-08-20
The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.
CVE-2018-15573
PUBLISHED: 2018-08-20
** DISPUTED ** An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf...
CVE-2018-15574
PUBLISHED: 2018-08-20
** DISPUTED ** An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated "We do not consider this a vulnerability."