Unpatched open source components pose security issues

Be mindful about where your code is coming from: How much is too much open source?

Jane Elizabeth
© Shutterstock / wk1003mike

Open source is great. But when it can lead to more security vulnerabilities, how much is too much? And can DevOps save us all? We go over the 2017 State of Software Security Report and see how the industry is doing.

This may be an indelicate question, but do you know where your code is from?

Security wise, this is a more important factor than developers might think. Recent security breaches like the Equifax fiasco of 2017 highlight the importance of being careful with open source software. As we discussed earlier this week, hackers used a known vulnerability through Apache Struts to access the sensitive information of more than 143 million Americans.

(We have to mention that this issue was announced with a security patch on the same day. Equifax is culpable for not updating their code, not Apache.)

And that’s not even going into the vulnerabilities from the WannaCry and Petya ransomware attacks from earlier this year.

Open source has a number of pros and cons. Thanks to its open and collaborative nature, open source allows for a bunch of eyes to look at the code and spot issues and errors. These errors are posted publicly. Theoretically, then everyone goes and updates their code. But, experience tells us that’s not always the case.

Bad maintenance or sheer business often keeps programmers from updating their code. And when vulnerabilities are publicly posted, it becomes child’s play for a hacker to play the odds and test various organizations to see if someone hasn’t updated their code in a while.

SEE MORE: Dependency update: Auto-fix tools are helpful but they can only take developers so far

How much is too much open source?

First things first. We here at JAXenter love open source. Like, a lot. (We come to praise open source, not bury it.)

However, in these kinds of security situations, the question becomes how much is too much? There’s a tension between utilizing open source and maintaining application and organizational security.

According to the 2017 State of Software Security Report, about 75% of application code is made up of open source components. This is something of a cause for concern, especially when only 28% of organizations track and monitor their application’s components.

Alarmingly, Veracode’s report noted that “most open source components remain unpatched once they’re built into software”. A shocking 88% of Java applications had at least one flaw in a component.

Again, the crux of this issue is that developers don’t patch components in production once the vulnerabilities are found or when new versions are released. While they do have some good reasons for not doing so (compatibility issues, time, putting out other fires in the system), it leads to security issues down the line.

SEE MORE: Bad maintenance means your favorite JavaScript libraries might be vulnerable

Silver linings security

The good news is things are getting better. Veracode’s report points out that there are a number of “maturing programs that are making steady progress on their vulnerability flaw density”.

The bad news is that there’s not a whole lot of these programs to begin with and they still have a long way to go to improve the industry’s security problems.

The graph below is particularly illuminating:

Over 40% of flaws were still unsolved over the course of a year. Nearly 30% took over 90 days to solve. Less than 10% of flaws were solved in under 8 days. This is not great, people. (Remember, Equifax’s vulnerable period was 60 days.)

However, progress has been especially significant thanks to another unproblematic fave: DevOps. DevOps organizations that tested frequently with sandbox scanning had a 48% better fix rate than those doing policy-only scanning.

Where do we go from here?

We’re not giving up on open source. It’s the bedrock of the modern internet. But we can do better and we can be more mindful about where our code is coming from.

Organizations and enterprises should devote more time to security and updating. An ounce of prevention is worth a pound of cure. No one wants to be the next big name victim of a massive security flaw. So, stop playing hot potato and kicking this security can down the line, hoping the next massive breach passes you by.

The odds are not in your favor.


Veracode’s 2017 State of Software Security Report can be downloaded here.

Jane Elizabeth
Jane Elizabeth is an assistant editor for

Inline Feedbacks
View all comments