The number of buggy open source components downloaded in the UK has soared by over 100% over the past year, according to new research from Sonatype.
The DevSecOps automation firm revealed that one in eight open source components downloaded in the country last year contained known security vulnerabilities – a 120% year-on-year increase.
Sonatype confirmed to Infosecurity that data for the report was mined from The Central Repository; the default repository for Apache Maven, SBT and other build systems which contains over 2.5m indexed artifacts.
For example, 145,000 downloads of vulnerable versions of Apache Commons Collections were recorded in the UK in 2017 – vulnerabilities connected to ransomware attacks in the wild.
In 2017, UK developers also downloaded 68,000 known vulnerable versions of Bouncy Castle components used for cryptography and 40,000 vulnerable versions of Apache Struts components, like the one exploited in the Equifax breach.
Open source components are widely used by developers today. In fact, Sonatype estimates 80%-90% of every modern application is made up of them. In 2016, developers downloaded 52 billion Java components from the Central Repository alone, a 68% year-on-year increase.
However, thanks to manual processes and a lack of built-in security controls, many developers miss preventable security mistakes. In all of the above cases, for example, there were safe versions of the software components available for download, according to Sonatype.
“Rather than wait until an application is assembled to scan and identify these known vulnerabilities, why not address this issue at its source by warning developers not to download and use these known vulnerable components (and in cases of serious vulnerabilities, block the download)," wrote Gartner analysts Neil MacDonald and Ian Head last year.
The security problems associated with open source components are nothing new. A study from Synopsys last year revealed that half of the third-party components used in software applications are outdated and possible insecure.
Yet another report, this time from Black Duck’s Center for Open Source Research and Innovation last year, claimed that over 60% of all apps using open source components contain known software vulnerabilities.