There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.
Just as there are known knowns, known unknowns and unknown unknowns in National Security, the same can be said for application security. The very nature of corporate programming today involves a massive amount of data sharing. The more elaborate and mission critical a project is, the more lines of code are likely to be borrowed from a library somewhere. And yet there is a counterintuitive element with that approach. There is a direct connection between the volume of code coming from elsewhere and the likelihood of security risks coming along.
In the seventh edition of CA Veracode’s State of Software Security Report (SoSS), we found that the prevalent use of open-source and third-party components are creating unmanaged risk. To the tune of approximately 97 percent of Java applications containing at least one component with a known vulnerability.
Certainly, the known unknowns – like a published vulnerability in a broadly used component – require development teams to update components, but they’re costly and more like performing brain surgery than updating apps on an iPhone.
Join Tim Jarrett, Director of Product Marketing at CA Veracode, as he discusses the systemic risk caused by open source and third-party components, and why addressing component risk starts at the top with policy.