A significant risk is created by the widespread use of open source and third-party components, says Veracode, a web and mobile application security product firm. Using the company’s newly-released software composition analysis service, Veracode analysed more than 5300 enterprise applications uploaded to its cloud-based platform over the past two months, and determined that components introduce an average of 24 known vulnerabilities into each web application. Many of these vulnerabilities expose enterprises to significant cyberthreats such as data breaches, malware injections and Denial-of-Service (DoS) attacks.
To accelerate delivery of digital innovations, it is now common in both traditional and agile development processes to incorporate reusable, pre-built software components, the firm says. These components are often obtained from open source developers. In fact, according to industry analysts, 95pc of all IT organisations will leverage some element of open source software in their mission-critical IT solutions by 2015. In addition, FS-ISAC states that “the majority of internal software created by financial services involves acquiring open source components and libraries to augment custom-developed software.”
According to the firm, most third-party and open source components do not undergo the same security scrutiny as custom-developed software. To address this risk in the software supply chain, industry groups such as OWASP, PCI and FS-ISAC now require explicit policies and controls to govern the use of components. However, it can be difficult for global enterprises with multiple code repositories to pinpoint all the applications where a risky component is used. This leaves countless web and mobile applications at risk, it’s claimed, especially once a new vulnerability, such as Heartbleed, has been publicly disclosed.
Phil Neray, Veracode’s VP of enterprise security strategy said: “While the sheer number of vulnerabilities per application we found is surprising, what is truly alarming is that we also identified an average of eight “Very High Severity” or “High Severity” vulnerabilities per application caused by open source and third-party components. The data suggests that virtually all applications have at least one critical vulnerability caused by reusable components. This tells us we can significantly reduce enterprise risk by continuously auditing our customers’ application portfolios for the presence of risky components.”
Veracode says that its new automated service helps enterprises identify all applications with vulnerable components and determine exactly where specific components are used across multiple development teams, including outsourcers. Customers can take advantage of the new service because it works with all the software they’ve already uploaded for binary static analysis (SAST). Veracode also provides remediation advisory services to help customers prioritize and mitigate vulnerabilities.
