Open-source components in commercial software are likely to contain vulnerabilities

A new vendor survey warns that many commercial software and web applications used by organizations have significant vulnerabilities in their open-source components.

"Buying commercial off-the-shelf software applications is not a risk-free proposition," said the study, sponsored by GramTech Inc., a company that sells software assurance tools. Including components that have a significant level of vulnerability."

Using a tool from Gramtech, the company scanned multiple web browsers, email clients, file sharing cloud storage clients, online meeting clients, and messaging clients with open source components. Those components were then analyzed for known vulnerabilities, which were scored based on the number and severity of bugs. This created a weighted score.

Among the findings:

-On average, 30 percent of all open-source components contain at least one vulnerability or security flaw that has been assigned a CVE (Common Vulnerability and Exposure) identifier;

Applications in the online meetings and email client categories had the highest average load of vulnerabilities;

- All three applications studied had at least one significant vulnerability with a CVSS (Common Vulnerability Scoring System) score of 10.0, which is the highest;

Newer versions of the same open-source components were not always more secure, as measured by either the number of vulnerable components used or the weighted scores of vulnerabilities in each component.

The data were analyzed by Osterman Research. Michael Sampson, senior analyst at Osterman, said, "Commercial off-the-shelf software applications often include open-source components, many of which have known vulnerabilities that can be exploited by malware, yet vendors often use their own software and software. use own software. Do not disclose presence." Research. "The lack of visibility into the applications being deployed and deployed is essentially a time bomb that increases an enterprise's security risk, attack surface, and potential to be compromised by cybercriminals."

top weakest component

Of the components identified in all applications in the study, the two versions of the Firefox open-source component (not the browser itself) contributed 75.8 percent to the CVEs found. In second place, the 16 versions of the OpenSSL libraries used for secure website communication had a combined 9.6 percent CVE, and the two versions of libv had an 8.3 percent CVE. According to Wikipedia, libav is an abandoned free software project that produces libraries and programs to handle multimedia data.

When a component is used in an application, the percentage is obtained by counting the number of vulnerabilities in each component. Multiple instances of the same component in the same application were only counted once.

"The immediate conclusion is that urgently addressing the use of versions of the Firefox, OpenSSL, and libav open-source components with the vulnerability will make a significant contribution to mitigating the security risks of using open-source software across the five product categories. report," Osterman said.

"Any open-source component that has a high or critical vulnerability should not be ignored and should be dealt with immediately to mitigate the risk," the report said.

The report argues that checking open-source components of an application for vulnerabilities is one way an organization can conduct a risk assessment.