Software development teams continue to rely on open-source code, but nearly two-thirds of the applications using open-source components have code flaws, according to report published by software-security firm Black Duck Software April 19.
In an analysis of more than 1,000 application audits, Black Duck found an average of 27 vulnerabilities in each application, up from 23 percent in 2015, according to the report. More than half of the vulnerabilities had a severity rating of high. Some components—including OpenSSL and Apache Struts—had 20 or more high-risk vulnerabilities per component, the report stated.
Many companies do not create policies for their developers to follow when they use of open-source components or do not adequately track component usage, Tim Mackey, Senior Technical Evangelist, Black Duck, told eWEEK.
“Developers are focused [on] solving the problem at hand and not necessarily creating the most pristine code,” he said. “So one of the big key takeaways is that an organization will be focused on testing and finding vulnerabilities in their product, but that does not mean that the open-source components are safe as well.”
Open-source code is a fundamental part of modern software development and comprises 36 percent of the application code base on average, according to Black Duck. Certain industries rely more on open-source components. For example, 46 percent of health-care applications consist of open-source code and 41 percent of retail and e-commerce applications consist of open-source code.
More than 1,000 applications were tested by the company. Almost all of the applications—96 percent—had open-source components, which is unsurprising given that the study data came from Black Duck’s audits of clients, whom presumably had reason to worry about their open-source exposure.
The most popular open-source code bases included JQuery, found in about 58 percent of tested applications, Bootstrap, found in 36 percent, and JUnit, found in 31 percent.
Black Duck’s clients typically fall into two categories: Those who embrace open-source components, but want to determine their risk, and those who want to make certain that no open-source components are used.
“We get some customers who say, ‘We don’t want any open source in our environment at all, because they think that is a bad idea,’” Mackey said. “And we have other organization who say, ‘we understand the risks here and they want to understand the scale.’ ”
Besides the risk from vulnerable components, another problem is that many open-source projects don't regularly update or maintain their code, creating what is essentially legacy code. Many components had vulnerabilities that were two to three years old, but have never been patched, Black Duck found. This long tail of code can make companies vulnerable without realizing it.
“The long tail becomes a significant problem, because you as an administrator today might not necessarily believe that you could be vulnerable to something that is 3 or 4 years old,” Mackey said. “Yet, we saw that there are still hundreds of thousands of public-facing Web sites that continue to be vulnerable to the Heartbleed bug. So the long tail really puts companies at risk.”