Attempting to analyze real-world usage of vulnerable versions of open-source libraries, software vendors Sonatype and Aspect Security claim to have found "staggering" use of susceptible components that have been downloaded from central repositories in order to conduct finance, energy, government, and military activities.
Sonatype acts as steward for the Central Repository, a managed resource for open-source components that the company says receives four billion requests per year, contains 300,000 components, and is used by more than 60,000 development organizations worldwide. The repository's data was analyzed for a survey by a team from Aspect Security, including Jeff Williams, who is responsible for drafting the "Open Web Application Security Project (OWASP) Top 10," resource and guideline for application security.
Findings from the study include:
- More than 80 percent of typical software applications are open-source components and frameworks consumed in binary form.
- Many popular components have flaws: There were more than 46 million downloads of insecure versions of the 31 most popular open-source security libraries and web frameworks. Google Web Toolkit (GWT) was downloaded 17.7 million times with known vulnerabilities.
- Other popular vulnerable libraries downloaded included Xerces, Spring MVC, and Struts 1.x.
- Open-source security libraries are roughly 20 percent more likely to have reported security vulnerabilities than other types of components.
"While the numbers from this report are alarming, the take-away is clear — open-source software is critical to forward-thinking development organizations, but there must be education and control to accompany its usage," said Jeff Williams, CEO of Aspect Security. "A single vulnerable component can completely undermine the security of an application, expose vulnerable data assets, and jeopardize the integrity of an organization's software portfolio."
Sonatype says that the average enterprise downloads more than 1,000 unique components from the Central Repository each month, with large banks and independent software vendors (ISVs) downloading even more. Because each component includes dependencies on tens or hundreds of other components, a massively complex ecosystem emerges.
According to Sonatype, the growing reliance on open-source components as core building blocks for application development, coupled with the complexity of the ecosystem, has given rise to a largely misunderstood application security risk where the world's largest enterprises have built mission-critical applications that contain vulnerabilities.