A new report from CA Veracode has exposed the pervasive risks companies face from vulnerable open source components.
In its 2017 State of Software Security Report the firm reviewed application security testing data from scans of its base of 1400 customers, discovering that 88% of Java applications contain at least one vulnerable component, making them susceptible to widespread attacks.
A cause of the problem, in part, is that fewer than 28% of companies carry out regular analysis to see which components are built into their applications, Veracode claimed.
“The universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit,” said Chris Wysopal, CTO, CA Veracode.
There have been plenty of examples of high-profile Java app breaches caused by vulnerabilities in open source or commercial components in the last year, one such being the ‘Struts-Shock’ flaw affecting the Apache Struts 2 web application framework.
“Development teams aren’t going to stop using components – nor should they, but when an exploit becomes available, time is of the essence,” Wysopal added. However, as evidenced in the report, the most severe flaws require significant time to fix (only 22% of very high severity flaws were patched in 30 days or less), with most attackers leveraging vulnerabilities within days of discovery.
“We’ve now seen quite a few breaches as a result of vulnerable components and unless companies start taking this threat more seriously, and using tools to monitor component usage, I predict the problem will intensify.”