Few would argue that the open source movement provides a convenient and cost-effective way for developers to build applications. But according to a new study, once that code makes its way into an app, it’s rarely updated to fix newly discovered vulnerabilities. And those flaws are often hidden from customers who deploy such software in their infrastructure.
The Black Duck Software report, “The State of Open Source Security in Commercial Applications”, examined 200 applications over six months, and found two-thirds of open source components had unpatched vulnerabilities. On average, each application contained 105 open source components and 22 vulnerabilities.
The urgency for rapid development and deployment often results in poor tracking of which versions of the open source software are in use. Hackers know this, and keep their eyes on sites like GitHub, where developers discuss open source code and any problems they are experiencing. That often translates into a blueprint for someone looking to develop the next exploit.
Open source code is becoming increasingly common within commercial software. But Black Duck’s study shows these vendors often fail to disclose the use of open source. While open source code was found in 95 percent of the applications reviewed, customers were only made aware of the fact 45 percent of the time. And security patches specifically related to vulnerabilities found in the open source components were often not pushed to customers.
“While many of these companies have internal security programmes and deploy security testing tools . . . those tools are not effective at identifying the types of vulnerabilities disclosed every day in popular open source components,” said Mike Pittenger, vice president of security strategy at Black Duck. “More importantly, if a customer is not aware of all of the open source in use, they cannot defend against common attacks against known vulnerabilities in those components.”
Not to put too fine a spin on it, but the lack of transparency and accountability among these commercial software providers is a disgrace.