Report: Companies in the Dark About Their Open Source Risk Exposure


ManageEngine OpManager, a powerful NMS for monitoring your network, physical & virtual (VMware/ HyperV) servers & other IT devices. Deploy and start monitoring in less than an hour. Trusted by over a million admins world-wide. Try it for free.

Commercial software is full of security vulnerabilities from unpatched open source components developers use, according to a report Black Duck Software issued last week.

Software companies misjudge how much open source code their commercial products contain, the report says.

The report, titled "The State of Open Source Security in Commercial Applications," is based on an analysis of 200 applications researchers viewed over the previous six months.

Ninety-five percent of applications include open source code components, and 67 percent of open source components had unpatched vulnerabilities, researchers found. Many of those software products are heavily used in enterprises today.

The companies thought they used less than 45 percent of open source code in their own software. Many were not aware of the vulnerability risks associated with the open source code they used.

"We knew this information anecdotally from past audits, but now we have empirical evidence to back that up," said Brian Carter, director of strategic communications for Black Duck.

"We now know that people do not have a really good grasp on where all the open source is and how much they are using," he told Linux Insider.

The analysis did not find relatively new vulnerabilities that caught researchers by surprise. Rather, many of the vulnerabilities had existed on average for five years.

About 40 percent of the vulnerabilities fell into the high-severity category based on their Common Vulnerability Scoring System, or CVSS, scores of 7 or more. Each application contained on average 105 open source components and 22 vulnerabilities.

CVSS is an open framework for determining the characteristics and severity of software vulnerabilities. Medium severity is assigned to software with a base CVSS score of 4.0 to 6.9. 3. High-severity vulnerabilities come with a CVSS base score of 7.0 to 10.0.

Companies use open source because it is free and lowers their development costs. It allows their internal developers to do higher-order tasks and gets them to market faster, according to Carter.

Perhaps the most significant indication of security concerns involving commonly used open source components is that well-publicized vulnerabilities remain unpatched, he noted.

Because companies are getting open source from so many places, they have lost control over its integrity. That leaves them exposed to vulnerabilities that already are publicized in various databases, Carter added.

"They do not have a good automated way of knowing where their code is. This lack of visibility leaves many software developers from being able to stay on top of their vulnerabilities," he said.

The report, written by Mike Pittenger, Black Duck's vice president of security strategy, is based on audits of customers' software. The audits usually are requested when a company is involved in a merger or acquisition situation.

Typically, the audits include commercial software that has been on the market for a number of years. The report is the first the company released as part of an expanded role begun in 2014 that attempts to alert software companies of specific vulnerabilities and the location of open source code in their products, Carter said.

"We have never done an aggregated report like this," he said. "We have talked internally about what they generally see in the individual analysis they conduct of customers' software. This is the first time Black Duck put the pieces together and released the findings."

The report focuses on companies in all industries that came to Black Duck as part of a merger or acquisition situation to vet the software involved. It plans to issue reports on the state of open source about twice per year. The goal is to make software developers more aware of their software management needs, Carter said.

Ten percent of the audited applications contained components vulnerable to Heartbleed, a security vulnerability in the OpenSSL cryptography library widely used in the Transport Layer Security protocol.

SSL, or Secure Sockets Layer, is a security technology for encrypting links between Web servers and Web browsers.

The same ratio contained components vulnerable to Poodle. That vulnerability, Padding Oracle On Downgraded Legacy Encryption, is a man-in-the-middle exploit that takes advantage of Internet and security software clients' fallback to SSL 3.0.

"The companies in this report, particularly those who continued to ship software that included versions of OpenSSL that were susceptible to Heartbleed 18 months after the bug was publicized, are living below the security poverty line," said Emily Ratliff, senior director of infrastructure security at the Linux Foundation.

Black Duck anatomized the analysis results in the report. Thus, the names of specific software titles and the companies that deployed them are not identified.

"The audits are discreet," said Carter. "This report is in no way dishonoring open source. It is really about the obligation of folks to do a better job managing and securing their open source."

Open source software, unlike commercial software, has no Patch Tuesday. Nobody is automating any patching processes. Companies are on their own to patch the code, make the updates and do vulnerability management, said Carter.

"Companies who are not triaging known and tagged security vulnerabilities in open source components in their software are most likely not proactively looking for security vulnerabilities in their own code," Ratliff told LinuxInsider.

As an industry, software companies need to get much better at security hygiene, she said. They need to focus on secure development practices, vulnerability handling and disclosure, and patching known vulnerabilities quickly.

Jack M. Germain has been writing about computer technology since the early days of the Apple II and the PC. He still has his original IBM PC-Jr and a few other legacy DOS and Windows boxes. He left shareware programs behind for the open source world of the Linux desktop. He runs several versions of Windows and Linux OSes and often cannot decide whether to grab his tablet, netbook or Android smartphone instead of using his desktop or laptop gear. You can connect with him on Google+.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Cricket Drops Unlimited Plan to $55 With Autopay

    Starting today, Cricket Wireless is dropping the price of their unlimited data plan offering to $60 per month, including the monthly taxes and fees.If you sign-up for autopay, you could drop the monthly bill to $55 per month.
  • 5300c769af79e

    Carriers Yank Galaxy Note 7 as Samsung Reportedly Halts Production

    For now, however, reports of additional fires have prompted carriers to yank the Note 7 from shelves.T-Mobile is "temporarily suspending all sales of the new Note 7 and exchanges for replacement Note 7 devices.
  • 5300c769af79e

    Live Chat: Google's Pixel Event!

    The “Made by Google” event is finally here and we are in San Francisco to cover it!Leaks all point to the unveiling of two phones, the Pixel and Pixel XL, Google Home, Google WiFi, Chromecast Ultra, and Google’s Daydream VR headset.
  • 5300c769af79e

    Comcast Teases Wireless Phone Service

    The country's largest cable operator will reportedly provide a hybrid cellular-and-Wi-Fi service, using a combination of Verizon's network and millions of its own wireless hotspots, Bloomberg some sort of multi-package bundle from us," Comcast CEO Brian Roberts said during this week's Goldman Sachs Communacopia conference in New York, according to a transcript.