Most common cause of open source problems in commercial software projects is out-of-date open source libraries, study finds
|A recent WhiteSource study of 2,944 software projects with open source components found that 23% had security vulnerabilities. Meanwhile, only 1.3% of the open source libraries with vulnerabilities were updated with the latest version. Ninety-three percent of the vulnerabilities in infected open source libraries had either high or mid-range severity.“Often, no one is assigned to continually monitor the open source for updates. In our study, 98.7% of the open source libraries with vulnerabilities were not updated. This presents considerable security and business risks for both vendor and customer when the product is shipped,” said Rami Sass, Co-Founder and CEO of WhiteSource. “If you don’t stay on top of open source updates, you risk missing critical security fixes that are most likely out there,” he added.|
According to Gartner, 85% of commercial software projects use open source libraries. While the benefits of open source are clear to most developers, open source projects contain the same quality and security issues as any other software projects. Most open source communities are quick to fix issues in their code, but their users are notably slow to update to new versions.
An earlier WhiteSource survey found that 85% of software projects contain out-of-date open source libraries.
“There is a clear disconnect between what is expected from development teams and what they can realistically do. They often lack the expertise and time to continually ensure compliance with open source licenses and monitor open source libraries for future security vulnerabilities and bugs. To properly manage open source for security and compliance, a lot of the adoption and ongoing management should be automated,” said Pini Cohen, EVP and Senior Analyst from STKI
WhiteSource, the leading provider of agile open source management solutions, has recently released a new SaaS solution that proactively alerts customers about security vulnerabilities in open source libraries. The solution also provides alerts for new versions of libraries and fixes for vulnerabilities and other software bugs.
“We match open source libraries with various repositories of vulnerabilities and with new versions made available by the respective open source communities,” said Sass. “We can provide pinpointed alerts because we always know the exact open source content of each of our customers’ projects,” he added.
The top 5 most common security vulnerabilities among White Source customers studied were:
- CVE-2011-2730: This Spring Framework vulnerability lets remote attackers obtain sensitive information.
- CVE-2012-0213: This Apache POI vulnerability lets remote attackers cause denial of service via a crafted length value in a Channel Definition Format (CDF) or Compound File Binary Format (CFBF) document.
- CVE-2011-2894: This Spring-Security vulnerability lets remote attackers bypass intended security restrictions and execute untrusted code.
- CVE-2009-2625: This Apache Xerces2 vulnerability lets remote attackers cause a denial of service (infinite loop and application hang).
- CVE-2013-0248: This Commons-FileUpload vulnerability lets local users overwrite arbitrary files via an unspecified symlink attack.
WhiteSource is a user-friendly cloud-based SaaS solution that lets companies of all sizes enjoy the benefits of open source without the legal, business and technical risks. As the leading provider of agile open source lifecycle management solutions, WhiteSource relieves developers from the burden of researching and tracking license inventory and security and compliance issues.
The WhiteSource solution is powered by a dynamic repository of data on open source libraries and their licenses, compliance requirements, security vulnerabilities, and new versions. White Source’s automated platform makes it easy to implement best-practice business processes for open source adoption, usage, updates, and ongoing compliance.
Founded in 2011, WhiteSource is a privately held company with offices in New York and Tel Aviv.
For more information, visit: http://www.whitesourcesoftware.com/