2.6 million downloads across the Global 500

Banks and ISVs hit hard by open source vulnerabilities


A new study by Sonatype and Aspect Security reveals 41 million downloads of vulnerable open source components in a year

Financial institutions and independent software vendors (ISVs)
are being hit disproportionately hard by security holes in open
source software components, according to a new
by Sonatype and Aspect Security. The companies followed
out-of-date, compromised packages in the Maven Central Repository
over the course of a year, watching the ‘Global 500’ group clock up
a collective 2.8 million downloads. The ‘Global 100’ group of banks
and other financial institutions downloaded 567,000 insecure
components over the same period.

The findings will come as a shock to enterprise developers and
operations staff, who regularly rely on dozens of open source
components in a single project. The companies behind the study
emphasise that a change in attitude is needed to prevent outdated
software from entering the development process, offering four basic
steps to follow:

  • Inventor – “Gather information about your current library
  • Analyse – “Check the project and the source for yourself”.
  • Control – “Restrict the use of unapproved libraries”.
  • Monitor – “Keep libraries up-to-date”.

Sonatype and Aspect’s study comes just over a month after a
report from development testing firm Coverity revealed comparable
levels of quality between open source and proprietary code bases.
Barely two weeks ago, another study from Sonatype
52% of surveyed enterprise users standardising around
open source stacks.

Speaking to us last month, Coverity’s scan director Zack Samocha


The lines between open source and proprietary code are really
blurring — if I was a commercial customer today, I’d probably be
using at least one or two open source projects in my development
process, and the quality of those projects needs to be in line with
whatever I develop in-house.

The most prevalent vulnerable components across the period of
the latest study were Google Web Toolkit, Apache Xerces, Spring
MVC, Struts and Apache CXF, contributing to a grand total of 41
million downloads across the 31 most popular libraries. Worryingly,
the report emphasises that the real numbers are probably

We suspect that these numbers are significantly underreported,
as we are not able to correctly associate all of the downloads with
an organization (due to repository managing caching). Many
downloads were attributed to an Internet provider, and slightly
over 40% of the downloads could not be attributed to any specific

Head over to Aspect’s site to grab the
full report
, or download the ‘executive summary’ from Sonatype


comments powered by Disqus