Do Insecure Open Source Components Threaten Your Apps?
Open Source components are a boon to developers, allowing them to efficiently write code without reinventing the wheel. But since open source lacks the notification infrastructure of commercial software, organizations must maintain a running inventory of open source components and their dependencies in production applications or risk deploying apps with known vulnerabilities.
Fri, March 30, 2012
CIO — Does your organization keep an inventory of the open source components developers use in production applications? If not, you're in good company, but it might be time to start, says Wayne Jackson, CEO of Sonatype, the firm that operates the Maven Central Repository of open source components.
Since Apache Maven, the brainchild of Sonatype founder Jason van Zyl, emerged as a top-level Apache Software Foundation project in 2003, the Central Repository has become a primary source of open source components. Jackson says the Central Repository receives four billion requests per year for its 300,000 components.
But after crunching the data on how the Central Repository's components are usedwith the help of application security specialist Aspect SecurityJackson says he believes organizations need to be much more diligent in their practices around open source components because many are exposing themselves to risk by deploying older, vulnerable versions of components.
Global 500 Firms Downloaded 2.8 Million Insecure Components
Aspect Security's study of Sonatype's data found that more than 80 percent of typical software applications are open source components and frameworks consumed in binary form, and that Global 500 organizations, collectively, downloaded more than 2.8 million insecure components in one year. The average enterprise downloads more than 1,000 unique components from the Central Repository each month, and large banks and independent software vendors (ISVs) download even more. And many of the most popular components displayed flaws.
The study found there were more than 46 million downloads of insecure versions of the 31 most popular open source security libraries and frameworks. For instance, Google Web Toolkit (GWT) was downloaded 17.7 million times with known vulnerabilities. Other popular vulnerable libraries downloaded included Xerces, Spring MVC and Struts 1.x.
In many cases, newer, patched versions of the components or frameworks were available, but users downloaded insecure versions anyway. The study found one in three of the most popular components had older, vulnerable versions that were still commonly downloaded, even when a newer version with a security fix was available.
"The rates of consumption of flawed components were shocking to us," Jackson says. "I think the root reason for that behavior must be a lack of awareness driven by a lack of notification infrastructure."
The Issue Is Notification, Not Open Source
Jackson's issue is not with the open source model itself. "I have been for years and remain a huge advocate for open source," he says. "I think the pace of innovation, the ability to leverage other people's innovation and the transparency and many-eyeballs theory makes open source much more secure over time. What we are trying to point out is not whether open source is better or worse than commercial software or whether open source is fundamentally flawed."