2.6 million downloads across the Global 500
Banks and ISVs hit hard by open source vulnerabilities
Financial institutions and independent software vendors (ISVs) are being hit disproportionately hard by security holes in open source software components, according to a new study by Sonatype and Aspect Security. The companies followed out-of-date, compromised packages in the Maven Central Repository over the course of a year, watching the ‘Global 500’ group clock up a collective 2.8 million downloads. The ‘Global 100’ group of banks and other financial institutions downloaded 567,000 insecure components over the same period.
The findings will come as a shock to enterprise developers and operations staff, who regularly rely on dozens of open source components in a single project. The companies behind the study emphasise that a change in attitude is needed to prevent outdated software from entering the development process, offering four basic steps to follow:
- Inventor - “Gather information about your current library situation”.
- Analyse - “Check the project and the source for yourself”.
- Control - “Restrict the use of unapproved libraries”.
- Monitor - “Keep libraries up-to-date”.
Sonatype and Aspect’s study comes just over a month after a report from development testing firm Coverity revealed comparable levels of quality between open source and proprietary code bases. Barely two weeks ago, another study from Sonatype showed 52% of surveyed enterprise users standardising around open source stacks.
Speaking to us last month, Coverity’s scan director Zack Samocha said:
The lines between open source and proprietary code are really blurring -- if I was a commercial customer today, I'd probably be using at least one or two open source projects in my development process, and the quality of those projects needs to be in line with whatever I develop in-house.
The most prevalent vulnerable components across the period of the latest study were Google Web Toolkit, Apache Xerces, Spring MVC, Struts and Apache CXF, contributing to a grand total of 41 million downloads across the 31 most popular libraries. Worryingly, the report emphasises that the real numbers are probably higher:
We suspect that these numbers are significantly underreported, as we are not able to correctly associate all of the downloads with an organization (due to repository managing caching). Many downloads were attributed to an Internet provider, and slightly over 40% of the downloads could not be attributed to any specific organization.