Simply Security - News, Views, and Opinions from Trend Micro

Posted on April 25th, 2012 in Vulnerabilities by Simply Security | Be the first to comment | Tags: Vulnerabilities

Developers often use vulnerable open-source components to make software.

Software developers around the world use open-source code to create mission-critical software. A new study by Sonatype found that more than 80 percent of applications used today are created from open-source tools. However, many of these applications are insecure, with more than 46 million downloads of unsafe component versions discovered in 2011 alone.

Many of these downloads could have been avoided with due diligence. The study found that roughly one-third of all downloads were an older version of an open-source tool that had a newer, more secure option available at the time. Sonatype said that even one vulnerable component can jeopardize an entire company's data protection integrity.

"The data clearly show that organizations consume huge numbers of vulnerable libraries. This is a wake-up call for software development organizations," application security expert Jeff Williams said. "While the numbers from this report are alarming, the take-away is clear – open-source software is critical to forward-thinking development organizations, but there must be education and control to accompany its usage."

According to a separate study by the Ponemon Institute, nearly 60 percent of responding software developers and half of security professionals said their company experienced a data breach within the past year because an application was compromised. Additionally, 47 percent of developers said there is no formal practice in place to improve software once a vulnerability is found.

"We commissioned this study with Ponemon because we feel the industry still needs a much higher level of awareness around application security," IT security expert Ed Adams said. "What emerged in this study was that companies don't seem to be looking at the root causes of data breaches and they aren't moving very fast to bridge the existing gaps to fix the myriad of problems."

Using unsafe open-source components is a common denominator among many data breaches. According to Sonatype, the average company downloads more than 1,000 solutions from the open-source Central Repository every month. The Global 500, in particular, is at risk since these organizations download and use more than 2.8 million insecure components every year. Financial services are also making themselves more vulnerable by utilizing more than 567,000 unsafe components annually.

Additionally, since each open-source piece of code is often reliant on hundreds of other parts, a complex and often dangerous ecosystem evolves when companies don't take the time to deploy secure options, Sonatype said. As a result, many large corporations have built mission-critical applications around the belief that their solutions were secure, even though the applications may contain a number of data security gaps.

"Our analysis points to critical gaps in the open-source component ecosystem – a lack of visibility and control compounded by the lack of a centralized update notification infrastructure," Sonatype chief executive officer Wayne Jackson said. "Every day, mission-critical applications are compromised by malicious exploit, yet as this analysis shows, organizations have no clear view into component usage."

According to an IDC report, the open-source software market will generate more than $8 billion in revenue by 2013. This growth is largely driven by the unstable economy and the need for organizations to develop applications at a lower price.

In order for these cost-effective solutions to be useful, however, decision-makers need to ensure the open-source components tools used are safe. By checking if there are any new versions of the tools, organizations can improve the security of their applications, as many updates include security fixes.

Data Security News from SimplySecurity.com by Trend Micro