Channels ▼

Open Source

Sonatype Eyes "Staggering" Use Of Vulnerable Open Source Components

Attempting to analyze real-world usage of vulnerable versions of open-source libraries, software vendors Sonatype and Aspect Security claim to have found "staggering" use of susceptible components that have been downloaded from central repositories in order to conduct finance, energy, government, and military activities.

Sonatype acts as steward for the Central Repository, a managed resource for open-source components that the company says receives four billion requests per year, contains 300,000 components, and is used by more than 60,000 development organizations worldwide. The repository's data was analyzed for a survey by a team from Aspect Security, including Jeff Williams, who is responsible for drafting the "Open Web Application Security Project (OWASP) Top 10," resource and guideline for application security.

Findings from the study include:

  • More than 80 percent of typical software applications are open-source components and frameworks consumed in binary form.
  • Many popular components have flaws: There were more than 46 million downloads of insecure versions of the 31 most popular open-source security libraries and web frameworks. Google Web Toolkit (GWT) was downloaded 17.7 million times with known vulnerabilities.
  • Other popular vulnerable libraries downloaded included Xerces, Spring MVC, and Struts 1.x.
  • Open-source security libraries are roughly 20 percent more likely to have reported security vulnerabilities than other types of components.

"While the numbers from this report are alarming, the take-away is clear — open-source software is critical to forward-thinking development organizations, but there must be education and control to accompany its usage," said Jeff Williams, CEO of Aspect Security. "A single vulnerable component can completely undermine the security of an application, expose vulnerable data assets, and jeopardize the integrity of an organization's software portfolio."

Sonatype says that the average enterprise downloads more than 1,000 unique components from the Central Repository each month, with large banks and independent software vendors (ISVs) downloading even more. Because each component includes dependencies on tens or hundreds of other components, a massively complex ecosystem emerges.

According to Sonatype, the growing reliance on open-source components as core building blocks for application development, coupled with the complexity of the ecosystem, has given rise to a largely misunderstood application security risk where the world's largest enterprises have built mission-critical applications that contain vulnerabilities.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.