Skip to main content

Open Source and Third-Party Components Embed 24 Known Vulnerabilities into Every Web Application on Average

Veracode introduces new cloud-based service that reduces enterprise risk via centralized, automated component governance

Veracode introduces new cloud-based service that reduces enterprise risk via centralized, automated component governance 


BURLINGTON, Mass. – October 22, 2014 Veracode, a leader in protecting modern enterprises from today’s pervasive web and mobile application threats, today released analytics from its cloud-based platform that exposes the significant risk created by the widespread use of open source and third-party components. Using the company’s newly-released software composition analysis service, Veracode analyzed more than 5,300 enterprise applications uploaded to its platform over the past two months, and determined that components introduce an average of twenty-four known vulnerabilities into each web application. Many of these vulnerabilities expose enterprises to significant cyberthreats such as data breaches, malware injections and Denial-of-Service (DoS) attacks. 

To accelerate delivery of digital innovations, it is now common in both traditional and agile development processes to incorporate reusable, pre-built software components. These components are often obtained from open source developers. In fact, according to industry analysts, 95% of all IT organizations will leverage some element of open source software in their mission-critical IT solutions by 2015. In addition, FS-ISAC states that “the majority of internal software created by financial services involves acquiring open source components and libraries to augment custom-developed software.”

Most third-party and open source components do not undergo the same level of security scrutiny as custom-developed software. To address this risk in the software supply chain, industry groups such as OWASP, PCI and FS-ISAC now require explicit policies and controls to govern the use of components. However, it can be difficult for global enterprises with multiple code repositories to pinpoint all the applications where a risky component is used. This leaves countless web and mobile applications at risk, especially once a new vulnerability, such as Heartbleed, has been publicly disclosed.

“While the sheer number of vulnerabilities per application we found is surprising, what is truly alarming is that we also identified an average of eight “Very High Severity” or “High Severity” vulnerabilities per application caused by open source and third-party components,” said Phil Neray, Veracode’s VP of enterprise security strategy. “The data suggests that virtually all applications have at least one critical vulnerability caused by reusable components. This tells us we can significantly reduce enterprise risk by continuously auditing our customers’ application portfolios for the presence of risky components.”

Veracode’s new automated service helps enterprises quickly identify all applications with vulnerable components and determine exactly where specific components are used across multiple development teams, including outsourcers. Customers can immediately take advantage of the new service because it works with all the software they’ve already uploaded for binary static analysis (SAST). Veracode’s world-class security experts also provide remediation advisory services to help customers rapidly prioritize and mitigate vulnerabilities across their global application infrastructures.

With the addition of this service, Veracode becomes the only vendor to offer a unified platform for SAST, DAST and software composition analysis. To simplify automated governance and systematically reduce risk, Veracode’s cloud-based platform offers centralized policies and KPIs for measuring security posture in a consistent manner across disparate business units and both internal and external development teams.

To learn more about reducing risk from open source and third-party components, Veracode is sponsoring a SANS webinar with Securosis a leading analyst firm, on Thursday, October 23 at 1pm EDT. Click here to register.