At Veracode, we’ve been the first and the loudest in proclaiming that companies need to be vigilant in how they use open source components in their software.
Our research shows that open source components are used with increasing regularity in the enterprise. The State of Software Security Volume 9 report, which examined 700,000 scans over 12 months, found that 87.5 percent of Java applications had at least one vulnerability in a component. In addition, open source applications were found to be among the slowest of all applications to be fixed: developers remediated 25 percent of open source flaws after 93 days had passed following identification.
A separate recent industry report pointed to the fact that a vulnerable version of the open source Apache Struts library, the same vulnerable library that hackers accessed to steal information on millions of consumers, is still being downloaded and used by some of the most profitable and prominent global enterprises. In March 2017, a number of high profile targets were zapped by what we dubbed the “Struts-Shock” flaw. This critical vulnerability in the Apache Struts 2 library enables remote code execution (RCE) attacks using command injection, for which as many as 35 million sites were vulnerable. The bad guys exploited the vulnerability in a range of victims’ applications, most notably the Canada Revenue Agency and the University of Delaware, in a breach of records that USA Today reported could cost the organization as much as $19 million.
The fact that vulnerable software is still in use even after such damaging effects illustrates both the ubiquitous use of open source code in software applications worldwide and that the race to deploy and evolve applications is pushing companies to build software more quickly. As Veracode CTO Chris Wysopal wrote in Forbes, “The benefits of open source code can be so alluring that businesses can forget about the risks involved with using public, unvetted chunks of software throughout their applications. Vulnerabilities in open source code are prized by hackers simply because of the prevalence of their use.”
The open source conundrum for businesses is getting more complex: there are 5 million open source libraries now but the growth rate is exponential – we will see millions more developers releasing up to half a billion libraries within the next decade. This increases the threat vector for businesses that use open source in their applications because while open source creates efficiency, developers also inherit vulnerabilities in the components they use.
Scanning code to reveal flaws and recommend fixes to developers is critical. As organizations tackle bug-ridden components, they should consider not just the open flaws within libraries and frameworks, but also how they are using those components. By understanding not just the status of the component, but whether or not a vulnerable method is being called, organizations can pinpoint their component risk and prioritize fixes based on the riskiest uses of components.
To address the risk of open source vulnerabilities in the software supply chain, groups such as PCI, OWASP, and FS-ISAC now have specific controls and policies in place to govern the use of open source components. But for global enterprises with multiple and vast repositories of code, identifying all the applications where open source vulnerabilities may exist can be difficult.
That’s where Veracode comes in. Our solution allows enterprises to quickly identify every application with vulnerable components, making it easy to address open source vulnerabilities and continue realizing the benefits of open source software.
When news breaks about new open source vulnerabilities, Veracode helps you quickly identify which applications in your organization are vulnerable, saving time as you plan for remediation.
Veracode’s cloud-based platform scans software to identify both open source vulnerabilities and flaws in proprietary code with the same scan, providing greater visibility into security across the entire application landscape. During the mitigation process, Veracode’s team of experts supports your people, processes and technology, and coaches your engineers on secure coding practices and ways to manage mitigation and remediation.
Learn more about controlling your risk with the Veracode platform here.