Skip Links

Do Insecure Open Source Components Threaten Your Apps?

By Thor Olavsrud, CIO
March 30, 2012 07:20 PM ET

CIO - Since Apache Maven, the brainchild of Sonatype founder Jason van Zyl, emerged as a top-level Apache Software Foundation project in 2003, the Central Repository has become a primary source of open source components. Jackson says the Central Repository receives four billion requests per year for its 300,000 components.

But after crunching the data on how the Central Repository's components are used--with the help of application security specialist Aspect Security--Jackson says he believes organizations need to be much more diligent in their practices around open source components because many are exposing themselves to risk by deploying older, vulnerable versions of components.

Global 500 Firms Downloaded 2.8 Million Insecure Components

Aspect Security's study of Sonatype's data found that more than 80 percent of typical software applications are open source components and frameworks consumed in binary form, and that Global 500 organizations, collectively, downloaded more than 2.8 million insecure components in one year. The average enterprise downloads more than 1,000 unique components from the Central Repository each month, and large banks and independent software vendors (ISVs) download even more. And many of the most popular components displayed flaws.

Known open source vulnerabilities.

Source: Aspect Security's Study of Sonatype data.

The study found there were more than 46 million downloads of insecure versions of the 31 most popular open source security libraries and frameworks. For instance, Google Web Toolkit (GWT) was downloaded 17.7 million times with known vulnerabilities. Other popular vulnerable libraries downloaded included Xerces, Spring MVC and Struts 1.x.

In many cases, newer, patched versions of the components or frameworks were available, but users downloaded insecure versions anyway. The study found one in three of the most popular components had older, vulnerable versions that were still commonly downloaded, even when a newer version with a security fix was available.

"The rates of consumption of flawed components were shocking to us," Jackson says. "I think the root reason for that behavior must be a lack of awareness driven by a lack of notification infrastructure."

The Issue Is Notification, Not Open Source

Jackson's issue is not with the open source model itself. "I have been for years and remain a huge advocate for open source," he says. "I think the pace of innovation, the ability to leverage other people's innovation and the transparency and many-eyeballs theory makes open source much more secure over time. What we are trying to point out is not whether open source is better or worse than commercial software or whether open source is fundamentally flawed."

Instead, he says, the issue is that the open source ecosystem lacks the ongoing relationship between vendor and customer that has evolved in the commercial software space. The commercial software world has become used to patch management, update management and even events like Microsoft's Patch Tuesday, when the Redmond-based software behemoth regularly releases security patches for its software. In the open source world, the onus remains largely on the consumers of open source components to track the status of the releases, patches and fixes issued for the components they use.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News