• United States

Study shows admins are doing a terrible job of patching servers

News Analysis
May 31, 20184 mins
Open SourceSecurityServers

Three-quarters of examined open-source servers have unpatched exploits.

Google Data Center
Credit: Google

Open source has taken over the server side of things, but admins are doing a terrible job of keeping the software patched and up to date.

Black Duck Software, a developer of auditing software for open-source security, has released its annual Open Source Security and Risk Analysis, which finds enterprise open source to be full of security vulnerabilities and compliance issues.

According to the study, open-source components were found in 96% of the applications the company scanned last year, with an average of 257 instances of open source code in each application.

The average percentage of codebase that was open source rose to 57%, compared to just 36% the previous year, quite an increase in one year. Many applications now contain more open source code than proprietary code.

However, 78% of the codebases examined contained at least one unpatched vulnerability, and an average of 64 known exploits per codebase. In the internet of things, where 77% of the code is open source, the audit found an average of 677 vulnerabilities per application. Over 4,800 open-source vulnerabilities were reported in 2017, but that’s across the full spectrum of open-source apps and operating systems.

The authors note a key difference between commercial and open-source software is how patches are handled. Updates to commercial software are automatically pushed out to users, as Windows users know all too well. Open source doesn’t do that. You have to go checking for updates manually, even if it’s just to run a patch/update checker.

And because there are so many important open-source products, such as developer tools, it can be tough to keep track of everything you use. “Open source can enter codebases through a variety of ways, not only through third-party vendors and external development teams but also through in-house developers,” the authors wrote. “If an organization is not aware of all the open source it has in use, it can’t defend against common attacks targeting known vulnerabilities in those components, and it exposes itself to license compliance risk.”

For example, the auditing software found Bootstrap, an open-source toolkit for developing with HTML, CSS and JavaScript, in 40% of the applications scanned, followed by jQuery, at 36%. Also notable for its use was Lodash, a JavaScript library that provides utility functions for programming tasks. “Lodash appeared as the most common open source component used in applications employed by such industries as healthcare, IoT, internet, marketing, ecommerce, and telecommunications,” the report stated.

Does this mean your open-source apps are replete with vulnerabilities? Probably not, if you’ve been good about keeping your systems patched. This report is finding that people aren’t patching their systems; that’s the problem.

And they are letting problems go unpatched for years. Black Duck found that the average vulnerability is six years old, with 4% of the codebases audited still containing Heartbleed, an exploit that everyone was talking about four years ago.

Now, Black Duck makes its living selling auditing software, so it shouldn’t be too surprising to hear it ringing the bells of alarm. But facts are a stubborn thing. No one should have an app go unpatched for six years. I can see where this attitude comes from. A lot of people have this notion that open-source software is fire-and-forget; you can deploy it and forget about it.

For the longest time there was sense in the free, open-source software community that its software was inherently better because its code was open source and everyone could look at it, so bugs were caught sooner. Heartbleed laid waste to that idea, and these findings certainly don’t back that notion.

So keep calm and carry on updating your software.

Andy Patrizio is a freelance journalist based in southern California who has covered the computer industry for 20 years and has built every x86 PC he’s ever owned, laptops not included.

The opinions expressed in this blog are those of the author and do not necessarily represent those of ITworld, Network World, its parent, subsidiary or affiliated companies.